CVE-2024-0828: CWE-862 Missing Authorization in hammadh Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio
The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber access or higher, to delete, retrieve, or modify post metadata, retrieve posts contents of protected posts, modify conversion data and delete article audio.
AI Analysis
Technical Summary
CVE-2024-0828 describes a missing authorization (CWE-862) vulnerability in the Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio WordPress plugin by hammadh. In all versions up to and including 3.6.4, the plugin fails to enforce proper capability checks on multiple functions. This flaw permits authenticated users with subscriber or higher privileges to delete, retrieve, or modify post metadata, access contents of protected posts, modify conversion data, and delete article audio. The vulnerability has a CVSS 3.1 base score of 5.4 (medium severity) with network attack vector, low attack complexity, and privileges required at the low level.
Potential Impact
An attacker with subscriber-level access or higher can abuse the missing authorization to manipulate post metadata, access protected post content, modify conversion data, and delete audio articles. This could lead to unauthorized data disclosure and integrity issues within the affected WordPress site. There is no indication of availability impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber-level access carefully and monitor for suspicious activity related to the Play.ht plugin. Avoid granting unnecessary privileges to users. Follow vendor updates for any forthcoming patches or official fixes.
CVE-2024-0828: CWE-862 Missing Authorization in hammadh Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio
Description
The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber access or higher, to delete, retrieve, or modify post metadata, retrieve posts contents of protected posts, modify conversion data and delete article audio.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-0828 describes a missing authorization (CWE-862) vulnerability in the Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio WordPress plugin by hammadh. In all versions up to and including 3.6.4, the plugin fails to enforce proper capability checks on multiple functions. This flaw permits authenticated users with subscriber or higher privileges to delete, retrieve, or modify post metadata, access contents of protected posts, modify conversion data, and delete article audio. The vulnerability has a CVSS 3.1 base score of 5.4 (medium severity) with network attack vector, low attack complexity, and privileges required at the low level.
Potential Impact
An attacker with subscriber-level access or higher can abuse the missing authorization to manipulate post metadata, access protected post content, modify conversion data, and delete audio articles. This could lead to unauthorized data disclosure and integrity issues within the affected WordPress site. There is no indication of availability impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber-level access carefully and monitor for suspicious activity related to the Play.ht plugin. Avoid granting unnecessary privileges to users. Follow vendor updates for any forthcoming patches or official fixes.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-01-23T16:47:49.972Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6de6b7ef31ef0b5905ac
Added to database: 2/25/2026, 9:47:18 PM
Last enriched: 4/9/2026, 11:48:42 AM
Last updated: 4/11/2026, 1:34:10 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.