Primary

Context

ConvertPlus WordPress Plugin Missing Authorization Vulnerability Allowing Denial-of-Service

Vulnerability

Patched

A denial-of-service vulnerability has been identified in the ConvertPlus plugin for WordPress, affecting all versions through 3.5.30. The issue arises from a missing capability check on the 'cp_dismiss_notice' AJAX endpoint, allowing authenticated attackers with Subscriber-level access and above to unauthorizedly modify option values. This manipulation can create errors on the site, disrupting service for legitimate users, or alter specific settings, such as enabling registration.

Impact

Exploitation of this vulnerability can lead to unauthorized data modification, causing errors that disrupt normal site operations and potentially interfere with user registration processes.

Remediation

Users are advised to update the ConvertPlus plugin to version 3.5.31 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

5.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ConvertPlus WordPress Plugin Missing Authorization Vulnerability Allowing Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

ConvertPlus

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating