Description

WordPress Plugin Stop User Enumeration is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently perform a variety of the plugin's actions or even take over a website. WordPress Plugin Stop User Enumeration version 1.3.18 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.3.20 or latest

References

https://www.pluginvulnerabilities.com/2019/02/26/hackers-are-probably-already-exploiting-this-authenticated-option-update-vulnerability-just-fixed-in-freemius/

https://github.com/Freemius/wordpress-sdk/commit/50a7ca3d921d59e1d2b39bb6ab3c6c7efde494b8

Related Vulnerabilities

Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-7491)

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-2335)

WordPress Plugin Ultimate Membership Pro Security Bypass (8.6)

WordPress Plugin MW WP Form Arbitrary File Deletion (5.0.3)

TYPO3 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2010-3662)

Severity

High

Classification

CWE-264 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass Information Disclosure