CVE-2024-0710 - Vulnerability Details - OpenCVE

The GP Unique ID plugin for WordPress is vulnerable to Unique ID Modification in all versions up to, and including, 1.5.5. This is due to insufficient input validation. This makes it possible for unauthenticated attackers to tamper with the generation of a unique ID on a form submission and replace the generated unique ID with a user-controlled one, leading to a loss of integrity in cases where the ID's uniqueness is relied upon in a security-specific context.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wordpress	Wordpress

No data.

No data.

References

Link	Providers
https://github.com/karlemilnikka/CVE-2024-0710/blob/main/README.md
https://gravitywiz.com/documentation/gravity-forms-unique-id/
https://www.wordfence.com/threat-intel/vulnerabilities/id/26db2d25-01b8-49c5-a4d6-284780ac97bb?source=cve

History

No history.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-02T16:57:15.807Z

Updated: 2024-08-01T18:11:35.724Z

Reserved: 2024-01-18T23:54:43.419Z

Link: CVE-2024-0710

Vulnrichment

Updated: 2024-08-01T18:11:35.724Z

NVD

Status : Awaiting Analysis

Published: 2024-05-02T17:15:09.707

Modified: 2024-11-21T08:47:11.403

Link: CVE-2024-0710

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0710", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-01-18T23:54:43.419Z", "datePublished": "2024-05-02T16:57:15.807Z", "dateUpdated": "2024-08-01T18:11:35.724Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:57:15.807Z"}, "affected": [{"vendor": "Gravity Wiz", "product": "GP Unique ID", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.5.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GP Unique ID plugin for WordPress is vulnerable to Unique ID Modification in all versions up to, and including, 1.5.5. This is due to insufficient input validation. This makes it possible for unauthenticated attackers to tamper with the generation of a unique ID on a form submission and replace the generated unique ID with a user-controlled one, leading to a loss of integrity in cases where the ID's uniqueness is relied upon in a security-specific context."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26db2d25-01b8-49c5-a4d6-284780ac97bb?source=cve"}, {"url": "https://gravitywiz.com/documentation/gravity-forms-unique-id/"}, {"url": "https://github.com/karlemilnikka/CVE-2024-0710/blob/main/README.md"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Karl Emil Nikka"}], "timeline": [{"time": "2024-01-13T00:00:00.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2024-04-10T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0710", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-02T17:52:46.260705Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:gravity_wiz:gp_unique_id:*:*:*:*:*:*:*:*"], "vendor": "gravity_wiz", "product": "gp_unique_id", "versions": [{"status": "affected", "version": "1.5.5"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:58:53.597Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:11:35.724Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26db2d25-01b8-49c5-a4d6-284780ac97bb?source=cve", "tags": ["x_transferred"]}, {"url": "https://gravitywiz.com/documentation/gravity-forms-unique-id/", "tags": ["x_transferred"]}, {"url": "https://github.com/karlemilnikka/CVE-2024-0710/blob/main/README.md", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26db2d25-01b8-49c5-a4d6-284780ac97bb?source=cve", "tags": ["x_transferred"]}, {"url": "https://gravitywiz.com/documentation/gravity-forms-unique-id/", "tags": ["x_transferred"]}, {"url": "https://github.com/karlemilnikka/CVE-2024-0710/blob/main/README.md", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:11:35.724Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0710", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-02T17:52:46.260705Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:gravity_wiz:gp_unique_id:*:*:*:*:*:*:*:*"], "vendor": "gravity_wiz", "product": "gp_unique_id", "versions": [{"status": "affected", "version": "1.5.5"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-02T17:55:58.615Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Karl Emil Nikka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "Gravity Wiz", "product": "GP Unique ID", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.5.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-01-13T00:00:00.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2024-04-10T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26db2d25-01b8-49c5-a4d6-284780ac97bb?source=cve"}, {"url": "https://gravitywiz.com/documentation/gravity-forms-unique-id/"}, {"url": "https://github.com/karlemilnikka/CVE-2024-0710/blob/main/README.md"}], "descriptions": [{"lang": "en", "value": "The GP Unique ID plugin for WordPress is vulnerable to Unique ID Modification in all versions up to, and including, 1.5.5. This is due to insufficient input validation. This makes it possible for unauthenticated attackers to tamper with the generation of a unique ID on a form submission and replace the generated unique ID with a user-controlled one, leading to a loss of integrity in cases where the ID's uniqueness is relied upon in a security-specific context."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-02T16:57:15.807Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0710", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:11:35.724Z", "dateReserved": "2024-01-18T23:54:43.419Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-02T16:57:15.807Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The GP Unique ID plugin for WordPress is vulnerable to Unique ID Modification in all versions up to, and including, 1.5.5. This is due to insufficient input validation. This makes it possible for unauthenticated attackers to tamper with the generation of a unique ID on a form submission and replace the generated unique ID with a user-controlled one, leading to a loss of integrity in cases where the ID's uniqueness is relied upon in a security-specific context."}, {"lang": "es", "value": "El complemento GP Unique ID para WordPress es vulnerable a la modificaci\u00f3n de ID \u00fanico en todas las versiones hasta la 1.5.5 incluida. Esto se debe a una validaci\u00f3n de entrada insuficiente. Esto hace posible que atacantes no autenticados alteren la generaci\u00f3n de una identificaci\u00f3n \u00fanica en el env\u00edo de un formulario y reemplacen la identificaci\u00f3n \u00fanica generada con una controlada por el usuario, lo que lleva a una p\u00e9rdida de integridad en los casos en que se conf\u00eda en la unicidad de la identificaci\u00f3n en un contexto espec\u00edfico de seguridad."}], "id": "CVE-2024-0710", "lastModified": "2024-11-21T08:47:11.403", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-05-02T17:15:09.707", "references": [{"source": "security@wordfence.com", "url": "https://github.com/karlemilnikka/CVE-2024-0710/blob/main/README.md"}, {"source": "security@wordfence.com", "url": "https://gravitywiz.com/documentation/gravity-forms-unique-id/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26db2d25-01b8-49c5-a4d6-284780ac97bb?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/karlemilnikka/CVE-2024-0710/blob/main/README.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://gravitywiz.com/documentation/gravity-forms-unique-id/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26db2d25-01b8-49c5-a4d6-284780ac97bb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis"}