CVE-2024-1390
published 2024-02-29CVE-2024-1390: The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.54%
41.2th percentile
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cozmoslabs | membership_content_restriction_paid_member_subscriptions | < 2.11.2 | 2.11.2 |
| fortinet | fortianalyzer | — | — |
| fortinet | fortianalyzercloud | — | — |
| fortinet | forticlientems | — | — |
| fortinet | fortimanager | — | — |
| fortinet | fortimanagercloud | — | — |
| fortinet | fortinet | — | — |
| fortinet | fortios | — | — |
| fortinet | fortiproxy | — | — |
| msrc | dynamics_365_field_service_v7_series | — | — |
| msrc | microsoft_dynamics_365_business_central_2023_release_wave_1 | — | — |
| msrc | microsoft_dynamics_365_business_central_2023_release_wave_2 | — | — |
| msrc | microsoft_dynamics_365_business_central_2024_release_wave_1 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_21h2 | — | — |
| msrc | windows_11_version_22h2 | — | — |
| msrc | windows_11_version_23h2 | — | — |
| msrc | windows_11_version_24h2 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vendor_msrc9.0CRITICAL
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6r87-mg59-2prc: The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorize
ghsa_unreviewed·2024-02-29
CVE-2024-1390 [MEDIUM] CWE-862 GHSA-6r87-mg59-2prc: The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorize
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables.
Fortinet
An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an u...
vendor_fortinet·2025-06-10·CVSS 4.8
CVE-2024-32119 [MEDIUM] CWE-1390 An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an u...
FG-IR-23-375: An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an u...
An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user's FCTUID and VDOM to perform operations such as uploading or tagging on behalf of the targeted user via specially crafted TCP requests.
CVEs: CVE-2024-32119
CWEs: CWE-1390
CVSS: 4.8 (medium)
Affected products: FortiClientEMS, FortiClientems, Fortinet
Fortinet
Weak Authentication in csfd daemon
vendor_fortinet·2025-01-14·CVSS 9.0
CVE-2024-48886 [CRITICAL] CWE-1390 Weak Authentication in csfd daemon
FG-IR-24-221: Weak Authentication in csfd daemon
A weak authentication in Fortinet FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, FortiProxy versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.10, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3 allows attacker to execute unauthorized code or commands via a brute-force attack.
A weak authentication in Fortinet FortiManager Cloud, FortiAnalyzer versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3, FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiManager Cloud versions
Ivanti
Ivanti Security Advisory: CVE-2024-8322
vendor_ivanti·2024-09-10·CVSS 4.3
CVE-2024-8322 [MEDIUM] CWE-1390 Ivanti Security Advisory: CVE-2024-8322
Ivanti Security Advisory: CVE-2024-8322
Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality.
CVE IDs: CVE-2024-8322
CVSS Base Score: 4.3
Severity: MEDIUM
CWEs: CWE-1390
Microsoft
Microsoft Dynamics 365 Elevation of Privilege Vulnerability
vendor_msrc·2024-07-09·CVSS 9.0
CVE-2024-38182 [CRITICAL] CWE-1390 Microsoft Dynamics 365 Elevation of Privilege Vulnerability
Microsoft Dynamics 365 Elevation of Privilege Vulnerability
Description: Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.
FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?
This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.
Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.
Microsoft Dynamics: Microsoft Dynamics
Microsoft: Microsoft
Customer Action Required: No
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation
Microsoft
Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
vendor_msrc·2024-06-11·CVSS 7.3
CVE-2024-35248 [HIGH] CWE-1390 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to minor loss of confidentiality (C:L), integrity (I:L) and availability (A:L). What does that mean for this vulnerability?
While we cannot rule out the impact to Confidentiality, Integrity, and Availability, the ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack.
FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability?
The attacker would gain the rights of the user that is running the affected application.
Dynamics Business Central: Dynamics Business Central
Microsoft: Microsoft
Cus
Red Hat
ovirt: authentication bypass
vendor_redhat·2024-01-15·CVSS 7.5
CVE-2024-0822 [HIGH] CWE-1390 ovirt: authentication bypass
ovirt: authentication bypass
An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.
An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/admin/class-admin-subscription-plans.php#L477https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3034497%40paid-member-subscriptions%2Ftrunk&old=3031453%40paid-member-subscriptions%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/10f00859-3adf-40ff-8f33-827bbb1f62df?source=cvehttps://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/admin/class-admin-subscription-plans.php#L477https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3034497%40paid-member-subscriptions%2Ftrunk&old=3031453%40paid-member-subscriptions%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/10f00859-3adf-40ff-8f33-827bbb1f62df?source=cve
2024-02-29
Published