CVE-2024-1108 MEDIUM

CVE-2024-1108: Plugin Groups <= 2.0.6 - Missing Authorization to Unauthenticated Denial of Service

Vendor Desertsnowman

Product Plugin Groups

Weakness CWE-862 · Missing authorization

Published February 21, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The Plugin Groups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_init() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to change the settings of the plugin, which can also cause a denial of service due to a misconfiguration.

Key dates

02Disclosure timeline

February 21, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1108 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2021-43781 Permissions not properly checked in Invenio-Drafts-Resources CVE-2025-24589 WordPress JSM Show Post Metadata plugin <= 4.6.0 - Broken Access Control vulnerability CVE-2025-62104 WordPress ACF Galerie 4 plugin <= 1.4.2 - Broken Access Control vulnerability CVE-2025-11758 All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0.3 - Missing Authorization to Page Creation and Information Exposure CVE-2025-11991 JetFormBuilder <= 3.5.3 - Missing Authorization to Unauthenticated Form Generation