CVE-2024-2036

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-2036
The ApplyOnline – Application Form Builder and Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the aol_modal_box AJAX action in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with subscriber access or higher, to view Application submissions.

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/apply-online/trunk/admin/class-applyonline-admin.php#L875
https://plugins.trac.wordpress.org/changeset/3095921
https://www.wordfence.com/threat-intel/vulnerabilities/id/3eff4992-dbd4-4b9b-872e-1670ce7dab9d?source=cve
https://wordpress.org/plugins/apply-online/
https://www.wordfence.com/threat-intel/vulnerabilities/id/3eff4992-dbd4-4b9b-872e-1670ce7dab9d?source=cve
Configurations

No configuration.

History

08 Apr 2026, 18:20

Type Values Removed Values Added
Summary (en) The ApplyOnline – Application Form Builder and Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the aol_modal_box AJAX action in all versions up to, and including, 2.6. This makes it possible for authenticated attackers, with subscriber access or higher, to view Application submissions. (en) The ApplyOnline – Application Form Builder and Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the aol_modal_box AJAX action in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with subscriber access or higher, to view Application submissions.
CWE CWE-862
References
  • () https://plugins.trac.wordpress.org/browser/apply-online/trunk/admin/class-applyonline-admin.php#L875 -
  • () https://plugins.trac.wordpress.org/changeset/3095921 -

21 Nov 2024, 09:08

Type Values Removed Values Added
Summary
  • (es) El complemento ApplyOnline – Application Form Builder and Manager para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capacidad en la acción aol_modal_box AJAX en todas las versiones hasta la 2.6 incluida. Esto hace posible que los atacantes autenticados, con acceso de suscriptor o superior, vean los envíos de aplicaciones.
References () https://wordpress.org/plugins/apply-online/ - () https://wordpress.org/plugins/apply-online/ -
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/3eff4992-dbd4-4b9b-872e-1670ce7dab9d?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/3eff4992-dbd4-4b9b-872e-1670ce7dab9d?source=cve -

22 May 2024, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-22 09:15

Updated : 2026-04-15 00:35

NVD link : CVE-2024-2036

Mitre link : CVE-2024-2036

CVE.ORG link : CVE-2024-2036

JSON object : View

Products Affected

No product.

CWE
CWE-862

Missing Authorization