Clone Vulnerability – Missing Authorization – CVE-2024-31435 | WordPress Plugin Vulnerability Report
Plugin Name: Clone
Key Information:
- Software Type: Plugin
- Software Slug: wp-clone-by-wp-academy
- Software Status: Active
- Software Author: migrate
- Software Downloads: 3,222,101
- Active Installs: 80,000
- Last Updated: April 24, 2024
- Patched Versions: 2.4.4
- Affected Versions: <= 2.4.3
Vulnerability Details:
- Name: Inisev Analyst Module <= 2.4.3
- Title: Missing Authorization
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CVE: CVE-2024-31435
- CVSS Score: 4.3
- Publicly Published: April 10, 2024
- Researcher: Dhabaleshwar Das
- Description: Multiple plugins and/or themes by Inisev for WordPress are vulnerable to unauthorized access due to missing capability checks on several functions in various versions. This vulnerability allows authenticated attackers, with subscriber-level access or above, to perform unauthorized actions.
Summary:
The Clone plugin for WordPress contains a vulnerability in versions up to and including 2.4.3 that permits unauthorized actions due to missing authorization checks. This vulnerability has been addressed in version 2.4.4.
Detailed Overview:
The vulnerability in the Clone plugin highlights a significant security oversight in the Inisev Analyst Module, where specific functions lacked proper capability checks. This flaw could allow users with basic access levels, such as subscribers, to perform actions typically reserved for higher-level users, potentially leading to unauthorized data access or manipulation. The patched version 2.4.4 resolves these authorization issues, enhancing security measures to prevent such exploits.
Advice for Users:
- Immediate Action: Users should update to the patched version, 2.4.4, immediately to secure their installations against this vulnerability.
- Check for Signs of Vulnerability: Administrators are advised to review user activity logs for any unexpected or unauthorized actions that might have exploited this vulnerability.
- Alternate Plugins: While the current version is secure, users concerned about past vulnerabilities may consider exploring alternative backup or cloning plugins that maintain a strong record of security.
- Stay Updated: Keeping software updated to the latest versions is crucial in protecting against vulnerabilities and ensuring the highest security and functionality of your WordPress site.
Conclusion:
The prompt resolution of the missing authorization vulnerability in the Clone plugin underscores the importance of regular software updates and vigilant security practices. By updating to version 2.4.4, users can safeguard their WordPress installations from potential unauthorized access and maintain the integrity of their sites. This incident serves as a reminder of the constant need to monitor and update software components to defend against evolving security threats.