{"api_version":"1","generated_at":"2026-04-30T03:09:35+00:00","cve":"CVE-2024-0829","urls":{"html":"https://cve.report/CVE-2024-0829","api":"https://cve.report/api/cve/CVE-2024-0829.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-0829","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-0829"},"summary":{"title":"Comments Extra Fields For Post,Pages and CPT <= 5.0 - Missing Authorization","description":"The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-03-13 16:15:14","updated_at":"2026-04-08 19:19:17"},"problem_types":["CWE-862","CWE-862 CWE-862 Missing Authorization"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.php","name":"https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.php","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail=","name":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail=","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0829","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0829","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"nmedia","product":"Comments Extra Fields For Post,Pages and CPT","version":"affected 5.0 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-02-26T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Francesco Carlucci","lang":"en"}],"nvd_cpes":[{"cve_year":"2024","cve_id":"829","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"najeebmedia","cpe5":"comments_extra_fields","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2024","cve_id":"829","cve":"CVE-2024-0829","epss":"0.001320000","percentile":"0.323270000","score_date":"2026-04-29","updated_at":"2026-04-30 00:13:24"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-0829","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-03-13T18:26:24.411249Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-06-04T17:59:05.683Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-01T18:18:18.708Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cve"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.php"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail="}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Comments Extra Fields For Post,Pages and CPT","vendor":"nmedia","versions":[{"lessThanOrEqual":"5.0","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Francesco Carlucci"}],"descriptions":[{"lang":"en","value":"The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings."}],"metrics":[{"cvssV3_1":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862 Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:23:43.796Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/wp-comment-fields/trunk/classes/admin.class.php"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3040734%40wp-comment-fields%2Ftrunk&old=3039523%40wp-comment-fields%2Ftrunk&sfp_email=&sfph_mail="}],"timeline":[{"lang":"en","time":"2024-02-26T00:00:00.000Z","value":"Disclosed"}],"title":"Comments Extra Fields For Post,Pages and CPT <= 5.0 - Missing Authorization"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-0829","datePublished":"2024-03-13T15:27:14.507Z","dateReserved":"2024-01-23T17:41:43.438Z","dateUpdated":"2026-04-08T17:23:43.796Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-03-13 16:15:14","lastModifiedDate":"2026-04-08 19:19:17","problem_types":["CWE-862","CWE-862 CWE-862 Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:najeebmedia:comments_extra_fields:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"5.1","matchCriteriaId":"2CA28999-E655-4FA8-8B27-C49629560044"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"829","Ordinal":"1","Title":"Comments Extra Fields For Post,Pages and CPT <= 5.0 - Missing Au","CVE":"CVE-2024-0829","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"829","Ordinal":"1","NoteData":"The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.","Type":"Description","Title":"Comments Extra Fields For Post,Pages and CPT <= 5.0 - Missing Au"}]}}}