{"api_version":"1","generated_at":"2026-04-10T14:30:53+00:00","cve":"CVE-2024-1870","urls":{"html":"https://cve.report/CVE-2024-1870","api":"https://cve.report/api/cve/CVE-2024-1870.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-1870","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-1870"},"summary":{"title":"Colibri Page Builder <= 1.0.260 - Missing Authorization","description":"The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-03-09 10:15:06","updated_at":"2026-04-08 17:18:26"},"problem_types":["CWE-862","CWE-862 CWE-862 Missing Authorization"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/changeset/3045582/colibri-page-builder/trunk/src/License/ActivationForm.php?contextall=1&old=2888093&old_path=%2Fcolibri-page-builder%2Ftrunk%2Fsrc%2FLicense%2FActivationForm.php","name":"https://plugins.trac.wordpress.org/changeset/3045582/colibri-page-builder/trunk/src/License/ActivationForm.php?contextall=1&old=2888093&old_path=%2Fcolibri-page-builder%2Ftrunk%2Fsrc%2FLicense%2FActivationForm.php","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/src/License/ActivationForm.php#L356","name":"https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/src/License/ActivationForm.php#L356","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/130637ce-d70a-4831-8b88-a2a6e8a95c42?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/130637ce-d70a-4831-8b88-a2a6e8a95c42?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-1870","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1870","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"extendthemes","product":"Colibri Page Builder","version":"affected 1.0.260 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-03-08T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Stacy Purcell","lang":"en"}],"nvd_cpes":[{"cve_year":"2024","cve_id":"1870","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"extendthemes","cpe5":"colibri_page_builder","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-1870","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-03-11T15:04:52.588092Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-06-04T17:59:41.084Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-01T18:56:22.387Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/130637ce-d70a-4831-8b88-a2a6e8a95c42?source=cve"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/src/License/ActivationForm.php#L356"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset/3045582/colibri-page-builder/trunk/src/License/ActivationForm.php?contextall=1&old=2888093&old_path=%2Fcolibri-page-builder%2Ftrunk%2Fsrc%2FLicense%2FActivationForm.php"}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Colibri Page Builder","vendor":"extendthemes","versions":[{"lessThanOrEqual":"1.0.260","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Stacy Purcell"}],"descriptions":[{"lang":"en","value":"The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key."}],"metrics":[{"cvssV3_1":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862 Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T16:36:33.432Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/130637ce-d70a-4831-8b88-a2a6e8a95c42?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/src/License/ActivationForm.php#L356"},{"url":"https://plugins.trac.wordpress.org/changeset/3045582/colibri-page-builder/trunk/src/License/ActivationForm.php?contextall=1&old=2888093&old_path=%2Fcolibri-page-builder%2Ftrunk%2Fsrc%2FLicense%2FActivationForm.php"}],"timeline":[{"lang":"en","time":"2024-03-08T00:00:00.000Z","value":"Disclosed"}],"title":"Colibri Page Builder <= 1.0.260 - Missing Authorization"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-1870","datePublished":"2024-03-09T09:37:46.628Z","dateReserved":"2024-02-23T21:59:45.320Z","dateUpdated":"2026-04-08T16:36:33.432Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-03-09 10:15:06","lastModifiedDate":"2026-04-08 17:18:26","problem_types":["CWE-862","CWE-862 CWE-862 Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:extendthemes:colibri_page_builder:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"1.0.263","matchCriteriaId":"D5D82DCD-B3E8-4777-BCA4-FED213D4553F"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"1870","Ordinal":"1","Title":"Colibri Page Builder <= 1.0.260 - Missing Authorization","CVE":"CVE-2024-1870","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"1870","Ordinal":"1","NoteData":"The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callActivateLicenseEndpoint function in all versions up to, and including, 1.0.260. This makes it possible for authenticated attackers, with subscriber access or higher, to update the license key.","Type":"Description","Title":"Colibri Page Builder <= 1.0.260 - Missing Authorization"}]}}}