Search criteria
4 vulnerabilities found for Permalink Manager Pro by mbis
CVE-2024-2738 (GCVE-0-2024-2738)
Vulnerability from nvd – Published: 2024-04-09 18:58 – Updated: 2026-04-08 17:00
VLAI
Title
Permalink Manager Lite and Permalink Manager Pro <= 2.4.3.1 - Reflected Cross-Site Scripting
Summary
The Permalink Manager Lite and Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘s’ parameter in multiple instances in all versions up to, and including, 2.4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| mbis | Permalink Manager Lite |
Affected:
0 , ≤ 2.4.3.1
(semver)
|
|
| mbis | Permalink Manager Pro |
Affected:
0 , ≤ 2.4.3.1
(semver)
|
|
| permalink_manager_lite_project | permalink_manager_lite |
Affected:
0 , ≤ 2.4.3.1
(custom)
cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:*:*:* |
|
| permalink_manager_project | permalink_manager |
Affected:
0 , ≤ 2.4.3.1
(custom)
cpe:2.3:a:permalink_manager_project:permalink_manager:*:*:*:*:pro:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7020d5a1-a4a6-489c-8615-bc7898553bcf?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/Xib3rR4dAr/561ac3c17b92cb55d3032504a076fa4b"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3052848%40permalink-manager%2Ftrunk\u0026old=3034660%40permalink-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "permalink_manager_lite",
"vendor": "permalink_manager_lite_project",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:permalink_manager_project:permalink_manager:*:*:*:*:pro:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "permalink_manager",
"vendor": "permalink_manager_project",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2738",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T19:13:59.255549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T21:18:30.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Permalink Manager Lite",
"vendor": "mbis",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Permalink Manager Pro",
"vendor": "mbis",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Zeeshan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Permalink Manager Lite and Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the \u2018s\u2019 parameter in multiple instances in all versions up to, and including, 2.4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:17.392Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7020d5a1-a4a6-489c-8615-bc7898553bcf?source=cve"
},
{
"url": "https://gist.github.com/Xib3rR4dAr/561ac3c17b92cb55d3032504a076fa4b"
},
{
"url": "https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3052848%40permalink-manager%2Ftrunk\u0026old=3034660%40permalink-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-20T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Permalink Manager Lite and Permalink Manager Pro \u003c= 2.4.3.1 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2738",
"datePublished": "2024-04-09T18:58:55.481Z",
"dateReserved": "2024-03-20T13:47:46.582Z",
"dateUpdated": "2026-04-08T17:00:17.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2538 (GCVE-0-2024-2538)
Vulnerability from nvd – Published: 2024-03-20 05:32 – Updated: 2026-04-08 17:00
VLAI
Title
Permalink Manager <= 2.4.3.1 - Missing Authorization to Authenticated(Author+) Arbitrary Post Slug Modification
Summary
The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| mbis | Permalink Manager Lite |
Affected:
0 , ≤ 2.4.3.1
(semver)
|
|
| permalink_manager_lite_project | permalink_manager_lite |
Affected:
0 , ≤ 2.4.3.1
(semver)
cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:18:48.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70cd028d-122d-4e3c-ac09-150dec07a2cd?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3052848#file35"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "permalink_manager_lite",
"vendor": "permalink_manager_lite_project",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2538",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T18:28:47.144325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T19:30:44.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Permalink Manager Lite",
"vendor": "mbis",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Zeeshan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027ajax_save_permalink\u0027 function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:26.135Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70cd028d-122d-4e3c-ac09-150dec07a2cd?source=cve"
},
{
"url": "https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3052848#file35"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Permalink Manager \u003c= 2.4.3.1 - Missing Authorization to Authenticated(Author+) Arbitrary Post Slug Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2538",
"datePublished": "2024-03-20T05:32:54.399Z",
"dateReserved": "2024-03-15T17:29:45.829Z",
"dateUpdated": "2026-04-08T17:00:26.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2738 (GCVE-0-2024-2738)
Vulnerability from cvelistv5 – Published: 2024-04-09 18:58 – Updated: 2026-04-08 17:00
VLAI
Title
Permalink Manager Lite and Permalink Manager Pro <= 2.4.3.1 - Reflected Cross-Site Scripting
Summary
The Permalink Manager Lite and Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the ‘s’ parameter in multiple instances in all versions up to, and including, 2.4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| mbis | Permalink Manager Lite |
Affected:
0 , ≤ 2.4.3.1
(semver)
|
|
| mbis | Permalink Manager Pro |
Affected:
0 , ≤ 2.4.3.1
(semver)
|
|
| permalink_manager_lite_project | permalink_manager_lite |
Affected:
0 , ≤ 2.4.3.1
(custom)
cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:*:*:* |
|
| permalink_manager_project | permalink_manager |
Affected:
0 , ≤ 2.4.3.1
(custom)
cpe:2.3:a:permalink_manager_project:permalink_manager:*:*:*:*:pro:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:41.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7020d5a1-a4a6-489c-8615-bc7898553bcf?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/Xib3rR4dAr/561ac3c17b92cb55d3032504a076fa4b"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3052848%40permalink-manager%2Ftrunk\u0026old=3034660%40permalink-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "permalink_manager_lite",
"vendor": "permalink_manager_lite_project",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:permalink_manager_project:permalink_manager:*:*:*:*:pro:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "permalink_manager",
"vendor": "permalink_manager_project",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2738",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T19:13:59.255549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T21:18:30.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Permalink Manager Lite",
"vendor": "mbis",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Permalink Manager Pro",
"vendor": "mbis",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Zeeshan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Permalink Manager Lite and Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the \u2018s\u2019 parameter in multiple instances in all versions up to, and including, 2.4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:17.392Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7020d5a1-a4a6-489c-8615-bc7898553bcf?source=cve"
},
{
"url": "https://gist.github.com/Xib3rR4dAr/561ac3c17b92cb55d3032504a076fa4b"
},
{
"url": "https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3052848%40permalink-manager%2Ftrunk\u0026old=3034660%40permalink-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-20T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Permalink Manager Lite and Permalink Manager Pro \u003c= 2.4.3.1 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2738",
"datePublished": "2024-04-09T18:58:55.481Z",
"dateReserved": "2024-03-20T13:47:46.582Z",
"dateUpdated": "2026-04-08T17:00:17.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2538 (GCVE-0-2024-2538)
Vulnerability from cvelistv5 – Published: 2024-03-20 05:32 – Updated: 2026-04-08 17:00
VLAI
Title
Permalink Manager <= 2.4.3.1 - Missing Authorization to Authenticated(Author+) Arbitrary Post Slug Modification
Summary
The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| mbis | Permalink Manager Lite |
Affected:
0 , ≤ 2.4.3.1
(semver)
|
|
| permalink_manager_lite_project | permalink_manager_lite |
Affected:
0 , ≤ 2.4.3.1
(semver)
cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:18:48.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70cd028d-122d-4e3c-ac09-150dec07a2cd?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3052848#file35"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:permalink_manager_lite_project:permalink_manager_lite:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "permalink_manager_lite",
"vendor": "permalink_manager_lite_project",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2538",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T18:28:47.144325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T19:30:44.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Permalink Manager Lite",
"vendor": "mbis",
"versions": [
{
"lessThanOrEqual": "2.4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Zeeshan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027ajax_save_permalink\u0027 function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:26.135Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/70cd028d-122d-4e3c-ac09-150dec07a2cd?source=cve"
},
{
"url": "https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3052848#file35"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Permalink Manager \u003c= 2.4.3.1 - Missing Authorization to Authenticated(Author+) Arbitrary Post Slug Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2538",
"datePublished": "2024-03-20T05:32:54.399Z",
"dateReserved": "2024-03-15T17:29:45.829Z",
"dateUpdated": "2026-04-08T17:00:26.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}