CVE-2024-2505 – The GamiPress WordPress plugin before version 6... (How to Fix)

Q: What is the severity of CVE-2024-2505?

CVE-2024-2505 has a CVSS score of 8.1 (HIGH). The GamiPress WordPress plugin before version 6.8.9 has a broken access control vulnerability that allows Authors to manipulate requests and grant access to lower-privileged users like Subscribers. This enables unauthorized users to modify critical plugin configurations. All WordPress sites using vulnerable GamiPress versions are affected.

📋 TL;DR

The GamiPress WordPress plugin before version 6.8.9 has a broken access control vulnerability that allows Authors to manipulate requests and grant access to lower-privileged users like Subscribers. This enables unauthorized users to modify critical plugin configurations. All WordPress sites using vulnerable GamiPress versions are affected.

💻 Affected Systems

Products:

GamiPress WordPress plugin

Versions: All versions before 6.8.9

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with GamiPress plugin installed. The vulnerability exists regardless of specific plugin configuration.

📦 What is this software?

Gamipress by Gamipress

View all CVEs affecting Gamipress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could completely reconfigure the gamification system, disable security features, or manipulate user privileges to gain administrative access.

🟠

Likely Case

Unauthorized users modify plugin settings, disrupt gamification functionality, or escalate privileges for themselves or others.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to configuration changes that can be reverted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires at least Author-level access. The vulnerability involves manipulating requests to bypass intended access controls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.8.9

Vendor Advisory: https://wpscan.com/vulnerability/9b3d6148-ecee-4e59-84a4-3b3e9898473b/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find GamiPress and click 'Update Now'. 4. Verify version is 6.8.9 or higher.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Deactivate GamiPress plugin until patched to prevent exploitation

wp plugin deactivate gamipress

Role Restriction

all

Temporarily restrict Author and lower roles from accessing plugin settings

Use WordPress role management plugins to remove plugin management capabilities from non-admin roles

🧯 If You Can't Patch

Implement strict access controls and monitor all plugin configuration changes
Regularly audit user roles and permissions, especially for Authors and Editors

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → GamiPress version

Check Version:

wp plugin list --name=gamipress --field=version

Verify Fix Applied:

Confirm GamiPress version is 6.8.9 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to GamiPress settings pages
Configuration changes by non-admin users
User role modifications

Network Indicators:

POST requests to GamiPress admin endpoints from non-admin users

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin.php?page=gamipress" OR plugin="gamipress") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-2505

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Published: April 29, 2024

Last Updated: May 8, 2025

🔗 References

https://wpscan.com/vulnerability/9b3d6148-ecee-4e59-84a4-3b3e9898473b/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/9b3d6148-ecee-4e59-84a4-3b3e9898473b/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON