CVE-2024-6489

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_google_api_key function in all versions up to, and including, 2.0.10. This makes it possible for authenticated attackers, with Contributor-level access and above, to set the MailChimp API key.

CVSS

No CVSS.

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/3119180/getwid/trunk/includes/blocks/google-map.php	Patch
https://plugins.trac.wordpress.org/changeset/3119180/getwid/trunk/includes/blocks/google-map.php	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe391ac9-e3ea-48b3-8ffe-243972ce89f6?source=cve	Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe391ac9-e3ea-48b3-8ffe-243972ce89f6?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:motopress:getwid:*:*:*:*:*:wordpress:*:*

History

04 Feb 2025, 18:04

Type	Values Removed	Values Added
References	~~() https://plugins.trac.wordpress.org/changeset/3119180/getwid/trunk/includes/blocks/google-map.php -~~	() https://plugins.trac.wordpress.org/changeset/3119180/getwid/trunk/includes/blocks/google-map.php - Patch
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/fe391ac9-e3ea-48b3-8ffe-243972ce89f6?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/fe391ac9-e3ea-48b3-8ffe-243972ce89f6?source=cve - Third Party Advisory
CPE		cpe:2.3:a:motopress:getwid::::::wordpress::*
CWE		CWE-862
CVSS	v2 : ~~unknown~~ v3 : ~~5.3~~	v2 : unknown v3 : unknown
First Time		Motopress getwid Motopress

20 Jul 2024, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-20 07:15

Updated : 2025-02-04 18:04

NVD link : CVE-2024-6489

Mitre link : CVE-2024-6489

JSON object : View

Products Affected

motopress

getwid

CWE

CWE-862

Missing Authorization

JSON object

Attach tags to CVE-2024-6489

Attach tags to `CVE-2024-6489`