CVE-2024-2019 - Vulnerability Details - OpenCVE

The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with contributor access and above, to modify database tables that the theme has been configured to use the plugin to edit.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wordpress	Wordpress

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-db-table-editor/trunk/db-table-editor.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/2d044e0a-a956-4319-985d-6a9a276daf49?source=cve

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00697}`	epss `{'score': 0.00981}`

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00575}`	epss `{'score': 0.00697}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-06-04T05:32:13.416Z

Updated: 2024-08-09T18:50:16.918Z

Reserved: 2024-02-29T15:35:20.554Z

Link: CVE-2024-2019

Vulnrichment

Updated: 2024-08-01T18:56:22.536Z

NVD

Status : Awaiting Analysis

Published: 2024-06-04T06:15:09.430

Modified: 2024-11-21T09:08:49.540

Link: CVE-2024-2019

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2019", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-02-29T15:35:20.554Z", "datePublished": "2024-06-04T05:32:13.416Z", "dateUpdated": "2024-08-09T18:50:16.918Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-06-04T05:32:13.416Z"}, "affected": [{"vendor": "bobbysmith007", "product": "WP-DB-Table-Editor", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with contributor access and above, to modify database tables that the theme has been configured to use the plugin to edit."}], "title": "WP-DB-Table-Editor <= 1.8.4 - Missing Authorization to Authenticated(Contributor+) Database Access", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d044e0a-a956-4319-985d-6a9a276daf49?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-db-table-editor/trunk/db-table-editor.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Francesco Carlucci"}], "timeline": [{"time": "2024-06-03T17:10:03.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.536Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d044e0a-a956-4319-985d-6a9a276daf49?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/wp-db-table-editor/trunk/db-table-editor.php", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "acceleration", "product": "wp-db-table-editor", "cpes": ["cpe:2.3:a:acceleration:wp-db-table-editor:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.4", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-09T18:43:20.407941Z", "id": "CVE-2024-2019", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:50:16.918Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d044e0a-a956-4319-985d-6a9a276daf49?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/wp-db-table-editor/trunk/db-table-editor.php", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.536Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2019", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-09T18:43:20.407941Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:acceleration:wp-db-table-editor:*:*:*:*:*:*:*:*"], "vendor": "acceleration", "product": "wp-db-table-editor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:50:07.414Z"}}], "cna": {"title": "WP-DB-Table-Editor <= 1.8.4 - Missing Authorization to Authenticated(Contributor+) Database Access", "credits": [{"lang": "en", "type": "finder", "value": "Francesco Carlucci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "bobbysmith007", "product": "WP-DB-Table-Editor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.8.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-06-03T17:10:03.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d044e0a-a956-4319-985d-6a9a276daf49?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-db-table-editor/trunk/db-table-editor.php"}], "descriptions": [{"lang": "en", "value": "The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with contributor access and above, to modify database tables that the theme has been configured to use the plugin to edit."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-06-04T05:32:13.416Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2019", "state": "PUBLISHED", "dateUpdated": "2024-08-09T18:50:16.918Z", "dateReserved": "2024-02-29T15:35:20.554Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-06-04T05:32:13.416Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with contributor access and above, to modify database tables that the theme has been configured to use the plugin to edit."}, {"lang": "es", "value": "El complemento WP-DB-Table-Editor para WordPress es vulnerable al acceso no autorizado a datos, modificaci\u00f3n de datos y p\u00e9rdida de datos debido a la falta de un requisito de capacidad predeterminado en la funci\u00f3n 'dbte_render' en todas las versiones hasta, e incluyendo, 1.8.4. Esto hace posible que atacantes autenticados, con acceso de colaborador y superior, modifiquen las tablas de bases de datos para las que el tema ha sido configurado para usar el complemento para editar."}], "id": "CVE-2024-2019", "lastModified": "2024-11-21T09:08:49.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-06-04T06:15:09.430", "references": [{"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/browser/wp-db-table-editor/trunk/db-table-editor.php"}, {"source": "[email protected]", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d044e0a-a956-4319-985d-6a9a276daf49?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/wp-db-table-editor/trunk/db-table-editor.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d044e0a-a956-4319-985d-6a9a276daf49?source=cve"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis"}