Cyber Posture

CVE-2024-11916

High

Published: 08 January 2025

Published
08 January 2025
Modified
14 April 2025
KEV Added
Patch
CVSS Score 7.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.0013 31.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11916 is a high-severity Missing Authorization (CWE-862) vulnerability in Wpextended Wp Extended. Its CVSS base score is 7.4 (High).

Operationally, ranked at the 31.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly addresses the missing capability checks by enforcing approved authorizations for logical access to plugin functions, preventing unauthorized import and activation of arbitrary code snippets.

AC-6 Least Privilege good match
prevent

Enforces least privilege to restrict subscriber-level users from performing high-privilege actions like data modification and retrieval via vulnerable plugin functions.

SI-2 Flaw Remediation good match
prevent

Mitigates the specific authorization flaw by identifying, reporting, and correcting vulnerabilities in plugins like WP Extended through timely flaw remediation and patching.

NVD Description

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on several functions in all versions up to, and including, 3.0.11. This makes it…

more

possible for authenticated attackers, with subscriber-level access and above, to import and activate arbitrary code snippets along with

Deeper analysisAI

CVE-2024-11916 affects the Ultimate WordPress Toolkit – WP Extended plugin for WordPress in all versions up to and including 3.0.11. The vulnerability stems from a missing capability check on several functions, enabling unauthorized modification and retrieval of data. It has a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L) and is associated with CWE-862 (Missing Authorization) and CWE-79 (Cross-Site Scripting).

Authenticated attackers with subscriber-level access or higher can exploit this issue over the network with low complexity and no user interaction required. Successful exploitation allows them to import and activate arbitrary code snippets, resulting in unauthorized data modification and retrieval, with potential impacts across confidentiality, integrity, and availability due to the changed scope.

Mitigation details are available in advisories from Wordfence and a corresponding patch in the WordPress plugin repository at the provided trac changeset reference. Security practitioners should update to a patched version beyond 3.0.11 and review access controls for low-privilege users on affected sites.

Details

CWE(s)
CWE-862CWE-79

Affected Products

wpextended
wp extended
≤ 3.0.12

CVEs Like This One

CVE-2024-11816Same vendor: Wpextended
CVE-2026-2101Shared CWE-79
CVE-2026-3266Shared CWE-862
CVE-2024-12810Shared CWE-862
CVE-2025-0817Shared CWE-79
CVE-2025-22751Shared CWE-79
CVE-2024-26006Shared CWE-79
CVE-2025-7760Shared CWE-79
CVE-2026-30968Shared CWE-862
CVE-2024-57726Shared CWE-862

References