CVE-2024-43919
published 2024-11-01CVE-2024-43919: Access Control vulnerability in YARPP YARPP allows . This issue affects YARPP: from n/a through 5.30.10.
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
43.59%
98.6th percentile
Access Control vulnerability in YARPP YARPP allows .
This issue affects YARPP: from n/a through 5.30.10.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yarpp | yarpp | n/a – 5.30.10 | — |
| yarpp | yet_another_related_posts_plugin | <= 5.30.10 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-content/plugins/yet-another-related-posts-plugin/includes/yarpp_pro_set_display_types.php?ypsdt=false&types[]=post&types[]=page↗
- →Detect exploitation attempts by monitoring unauthenticated GET requests to yarpp_pro_set_display_types.php with query parameters ypsdt and types[] ↗
- →A successful exploit response returns HTTP 200 with Content-Type text/plain, body exactly 2 bytes containing 'ok' ↗
- →Fingerprint vulnerable WordPress installations by searching for the YARPP plugin path in page body ↗
- →The vulnerability resides in the missing capability check in ~/includes/yarpp_pro_set_display_types.php, allowing unauthenticated access ↗
- ·Vulnerability affects YARPP plugin versions up to and including 5.30.10; versions beyond this are not confirmed vulnerable ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
YARPP <= 5.30.10 - Missing Authorization
nuclei·CVSS 9.8
CVE-2024-43919 [CRITICAL] YARPP <= 5.30.10 - Missing Authorization
YARPP <= 5.30.10 - Missing Authorization
The YARPP Yet Another Related Posts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in the ~/includes/yarpp_pro_set_display_types.php file in all versions up to, and including, 5.30.10. This makes it possible for unauthenticated attackers to set display types.
Template:
id: CVE-2024-43919
info:
name: YARPP <= 5.30.10 - Missing Authorization
author: s4e-io
severity: critical
description: |
The YARPP Yet Another Related Posts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in the ~/includes/yarpp_pro_set_display_types.php file in all versions up to, and including, 5.30.10. This makes it possible for unauthenticated attackers to set display types.
No writeups or analysis indexed.
2024-11-01
Published