CVE-2024-11355
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to view playlist settings without proper authorization. It affects all versions of the Ultimate YouTube Video & Shorts Player With Vimeo plugin up to and including 3.3. The issue stems from a missing capability check in the get_setting() function.
💻 Affected Systems
- Ultimate YouTube Video & Shorts Player With Vimeo WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive playlist configuration data, potentially revealing private content settings or integration details that could aid further attacks.
Likely Case
Low-privileged users can view playlist settings they shouldn't have access to, violating the principle of least privilege but not directly compromising the system.
If Mitigated
With proper user role management and network segmentation, the impact is limited to information disclosure within the WordPress admin interface.
🎯 Exploit Status
Exploitation requires authenticated access to WordPress with at least Subscriber privileges. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/ultimate-youtube-video-player/trunk/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Ultimate YouTube Video & Shorts Player With Vimeo'. 4. Click 'Update Now' if available, or manually update to version 3.4+. 5. Verify the plugin is active after update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate ultimate-youtube-video-player
Restrict User Roles
linuxTemporarily remove Subscriber and higher roles from untrusted users
wp user list --role=subscriber --field=ID | xargs wp user set-role {ID} none
🧯 If You Can't Patch
- Remove the plugin entirely if not critically needed
- Implement network segmentation to isolate WordPress admin interface
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 3.3 or lower, you are vulnerable.Check Version:
wp plugin get ultimate-youtube-video-player --field=versionVerify Fix Applied:
Verify plugin version is 3.4 or higher in WordPress admin panel. Test with a Subscriber account that they cannot access playlist settings.📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests to admin-ajax.php with action=get_setting from low-privilege users
- Multiple failed capability checks in WordPress debug logs
Network Indicators:
- Increased traffic to /wp-admin/admin-ajax.php from authenticated users
SIEM Query:
source="wordpress.log" AND ("get_setting" OR "admin-ajax.php") AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/browser/ultimate-youtube-video-player/trunk/admin/admin.php#L18
- https://plugins.trac.wordpress.org/browser/ultimate-youtube-video-player/trunk/admin/inc/handler/getsetting.php#L1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4119178c-9227-4623-a962-e0f103612c75?source=cve
