WP Reset – Most Advanced WordPress Reset Tool Vulnerability – Missing Authorization to License Key Modification – CVE-2024-4661 | WordPress Plugin Vulnerability Report

Plugin Name: WP Reset – Most Advanced WordPress Reset Tool

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-reset
  • Software Status: Active
  • Software Author: webfactory
  • Software Downloads: 7,859,387
  • Active Installs: 300,000
  • Last Updated: June 20, 2024
  • Patched Versions: 2.03
  • Affected Versions: <= 2.01

Vulnerability Details:

  • Name: WP Reset <= 2.02
  • Title: Missing Authorization to License Key Modification
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • CVE: CVE-2024-4661
  • CVSS Score: 4.3
  • Publicly Published: June 7, 2024
  • Researcher: Foxyyy
  • Description: The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_ajax' function in all versions up to, and including, 2.02. This allows authenticated attackers, with subscriber-level access and above, to modify the value of the 'License Key' field for the 'Activate Pro License' setting.

Summary:

The WP Reset plugin for WordPress has a vulnerability in versions up to and including 2.02 that allows authenticated attackers with subscriber-level access and above to modify the 'License Key' for the 'Activate Pro License' setting. This vulnerability has been patched in version 2.03.

Detailed Overview:

The vulnerability arises from a lack of proper capability checks in the 'save_ajax' function of the WP Reset plugin. By exploiting this flaw, unauthorized users can tamper with critical settings related to the plugin's license key. This could potentially lead to unauthorized activation or deactivation of premium features associated with the plugin, impacting site functionality and security.

Advice for Users:

  • Immediate Action: Update WP Reset plugin to version 2.03 or later immediately to prevent unauthorized modification of the 'License Key'.
  • Check for Signs of Vulnerability: Monitor plugin settings for any unauthorized changes, especially related to the 'Activate Pro License' setting.
  • Alternate Plugins: Consider temporarily disabling the plugin until the update is applied or explore alternative plugins that offer similar functionality and are currently secure.
  • Stay Updated: Regularly update all WordPress plugins to their latest versions to mitigate vulnerabilities and maintain site security.

Conclusion:

The prompt response from WP Reset plugin developers in releasing version 2.03 underscores the critical importance of prompt updates in safeguarding WordPress site security. Users are strongly advised to ensure they are running version 2.03 or higher to protect their WordPress installations against potential exploits.

References:

Detailed Report: 

In the ever-evolving realm of website security, staying vigilant against vulnerabilities is paramount to safeguarding your online presence. Today, we delve into a critical security concern affecting the WP Reset plugin for WordPress. Identified as CVE-2024-4661, this vulnerability exposes websites running versions up to and including 2.02 to potential risks from unauthorized modifications of the 'License Key' setting. This flaw allows authenticated attackers with subscriber-level access or higher to manipulate crucial plugin configurations, potentially compromising site integrity and security.

Risks/Potential Impacts:

Exploitation of this vulnerability could lead to unauthorized changes in plugin configurations, affecting the proper functioning of WordPress sites. By altering the 'License Key,' attackers may disable critical features or introduce malicious settings, posing significant risks to site availability and user data integrity.

Previous Vulnerabilities:

This isn't the first time WP Reset has faced security challenges. With two previous vulnerabilities reported since May 26, 2021, it underscores the importance of continuous vigilance and prompt updates in managing WordPress plugins effectively.

Conclusion:

The responsiveness of WP Reset developers in releasing version 2.03 swiftly addresses the identified vulnerability, emphasizing the critical role of timely updates in maintaining robust site security. Small business owners relying on WordPress for their online presence are urged to prioritize security measures, ensuring they are running the latest plugin versions to defend against potential exploits and uphold uninterrupted website operations.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

 

WP Reset – Most Advanced WordPress Reset Tool Vulnerability – Missing Authorization to License Key Modification – CVE-2024-4661 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment