cbcvebase.
CVE-2024-47308
published 2024-11-01

CVE-2024-47308: Missing Authorization vulnerability in WPDeveloper Templately templately.This issue affects Templately: from n/a through <= 3.1.2.

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.70%
74.3th percentile
Missing Authorization vulnerability in WPDeveloper Templately templately.This issue affects Templately: from n/a through <= 3.1.2.

Affected

2 ranges
VendorProductVersion rangeFixed in
templatelytemplately< 3.1.33.1.3
wpdevelopertemplately<= 3.1.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/templately/v1/logout?_locale=user
url/wordpress/wp-admin/admin.php?page=templately&path=sign-in
  • Detect unauthenticated POST requests to the Templately logout REST API endpoint; a 200 response with JSON body containing 'status":"success' and 'message":"Logged out.' indicates successful exploitation.
  • Match HTTP response body for both 'status":"success' and 'message":"Logged out.' strings together to confirm the broken access control logout was triggered.
  • No authentication or prior session is required to call the logout endpoint; any unauthenticated request to /wp-json/templately/v1/logout can force-logout a signed-in Templately user.
  • Content-Type header of the malicious request is application/json; filter for POST requests to the Templately logout path with this content type from unauthenticated sources.
  • ·Vulnerability affects Templately plugin versions up to and including 3.1.2; versions beyond this range may be patched.
  • ·The EPSS score is 0.47274 (97.695th percentile), indicating a high probability of exploitation in the wild; prioritize detection and patching accordingly.
  • ·The exploit requires the victim to be signed into their Templately account at the time of the attack; the attacker does not need any credentials themselves.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.