CVE-2024-3895

The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdp_add_new_datepicker_ajax() function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options that can be used for privilege escalation. This was partially patched in 2.0.9 and 2.1.0, and fully patched in 2.1.1.

CVSS

No CVSS.

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3073525/wp-datepicker/trunk/inc/functions_inner.php	Patch
https://plugins.trac.wordpress.org/changeset/3073525/wp-datepicker/trunk/inc/functions_inner.php	Patch
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071975%40wp-datepicker&new=3071975%40wp-datepicker&sfp_email=&sfph_mail=	Patch
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071975%40wp-datepicker&new=3071975%40wp-datepicker&sfp_email=&sfph_mail=	Patch
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3073221%40wp-datepicker&new=3073221%40wp-datepicker&sfp_email=&sfph_mail=	Patch
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3073221%40wp-datepicker&new=3073221%40wp-datepicker&sfp_email=&sfph_mail=	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/45a42f20-a4d7-4c8e-a144-505a6723a2a0?source=cve	Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/45a42f20-a4d7-4c8e-a144-505a6723a2a0?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:androidbubbles:wp_datepicker:*:*:*:*:*:wordpress:*:*

History

27 Feb 2025, 16:24

Type	Values Removed	Values Added
First Time		Androidbubbles wp Datepicker Androidbubbles
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/45a42f20-a4d7-4c8e-a144-505a6723a2a0?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/45a42f20-a4d7-4c8e-a144-505a6723a2a0?source=cve - Third Party Advisory
References	~~() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071975%40wp-datepicker&new=3071975%40wp-datepicker&sfp_email=&sfph_mail= -~~	() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071975%40wp-datepicker&new=3071975%40wp-datepicker&sfp_email=&sfph_mail= - Patch
References	~~() https://plugins.trac.wordpress.org/changeset/3073525/wp-datepicker/trunk/inc/functions_inner.php -~~	() https://plugins.trac.wordpress.org/changeset/3073525/wp-datepicker/trunk/inc/functions_inner.php - Patch
References	~~() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3073221%40wp-datepicker&new=3073221%40wp-datepicker&sfp_email=&sfph_mail= -~~	() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3073221%40wp-datepicker&new=3073221%40wp-datepicker&sfp_email=&sfph_mail= - Patch
CPE		cpe:2.3:a:androidbubbles:wp_datepicker::::::wordpress::*
CWE		CWE-862
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : unknown

02 May 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-02 17:15

Updated : 2025-02-27 16:24

NVD link : CVE-2024-3895

Mitre link : CVE-2024-3895

JSON object : View

Products Affected

androidbubbles

wp_datepicker

CWE

CWE-862

Missing Authorization

JSON object

Attach tags to CVE-2024-3895

Attach tags to `CVE-2024-3895`