Vulnerability Description
The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to subscribe users to tags. Financial damages may occur to site owners if their API quota is exceeded.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Convertkit | Convertkit - Email Marketing\, Email Newsletter And Landing Pages | < 2.4.9.1 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&newProduct
- https://www.wordfence.com/threat-intel/vulnerabilities/id/79d828b8-aea2-4705-ae2Third Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&newProduct
- https://www.wordfence.com/threat-intel/vulnerabilities/id/79d828b8-aea2-4705-ae2Third Party Advisory
FAQ
What is CVE-2024-3961?
CVE-2024-3961 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_s...
How severe is CVE-2024-3961?
CVE-2024-3961 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-3961?
Check the references section above for vendor advisories and patch information. Affected products include: Convertkit Convertkit - Email Marketing\, Email Newsletter And Landing Pages.