CVE-2024-11085: CWE-862 Missing Authorization in maxwellberkel WP Log Viewer
The WP Log Viewer plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on several AJAX actions in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access logs, update plugin-related user settings and general plugin settings.
AI Analysis
Technical Summary
CVE-2024-11085 is a missing authorization vulnerability (CWE-862) in the maxwellberkel WP Log Viewer WordPress plugin. The issue arises because the plugin fails to enforce capability checks on multiple AJAX actions, enabling authenticated users with minimal privileges (Subscriber-level and above) to access sensitive plugin logs and modify user and general plugin settings. This vulnerability affects all versions up to and including 1.2.1. The CVSS 3.1 score is 5.4 (medium), reflecting the network attack vector, low attack complexity, and limited impact on confidentiality and integrity without availability impact.
Potential Impact
Authenticated attackers with Subscriber-level privileges or higher can exploit this vulnerability to access plugin logs and change plugin-related user and general settings without proper authorization. This could lead to unauthorized disclosure of potentially sensitive log information and unauthorized configuration changes within the plugin context. There is no indication of impact on system availability. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted individuals only and monitor plugin usage closely. Avoid granting Subscriber-level or higher access to untrusted users. Review and limit access to the WP Log Viewer plugin functionalities where possible.
CVE-2024-11085: CWE-862 Missing Authorization in maxwellberkel WP Log Viewer
Description
The WP Log Viewer plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on several AJAX actions in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access logs, update plugin-related user settings and general plugin settings.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-11085 is a missing authorization vulnerability (CWE-862) in the maxwellberkel WP Log Viewer WordPress plugin. The issue arises because the plugin fails to enforce capability checks on multiple AJAX actions, enabling authenticated users with minimal privileges (Subscriber-level and above) to access sensitive plugin logs and modify user and general plugin settings. This vulnerability affects all versions up to and including 1.2.1. The CVSS 3.1 score is 5.4 (medium), reflecting the network attack vector, low attack complexity, and limited impact on confidentiality and integrity without availability impact.
Potential Impact
Authenticated attackers with Subscriber-level privileges or higher can exploit this vulnerability to access plugin logs and change plugin-related user and general settings without proper authorization. This could lead to unauthorized disclosure of potentially sensitive log information and unauthorized configuration changes within the plugin context. There is no indication of impact on system availability. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted individuals only and monitor plugin usage closely. Avoid granting Subscriber-level or higher access to untrusted users. Review and limit access to the WP Log Viewer plugin functionalities where possible.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-11T18:59:57.799Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e06b7ef31ef0b593c5e
Added to database: 2/25/2026, 9:47:50 PM
Last enriched: 4/9/2026, 5:55:08 AM
Last updated: 4/12/2026, 3:44:45 PM
Views: 19
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.