CVE-2024-6120: CWE-862 Missing Authorization in sparklewpthemes Sparkle Demo Importer
The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.
AI Analysis
Technical Summary
CVE-2024-6120 describes a missing authorization vulnerability in the Sparkle Demo Importer WordPress plugin (all versions up to 1.4.7). Due to lack of proper capability checks on multiple functions, authenticated users with low privileges (Subscriber-level and above) can reset the database and import demo data without proper authorization. This enables deletion of all posts, pages, and uploaded files, and installation of a limited set of demo plugins. The vulnerability is classified under CWE-862 (Missing Authorization). The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact.
Potential Impact
The vulnerability allows unauthorized modification of website content by authenticated users with minimal privileges, specifically enabling deletion of posts, pages, and media files, and installation of demo plugins. There is no direct impact on confidentiality or availability. The integrity of the WordPress site is compromised, potentially causing significant content loss and unauthorized plugin installation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to prevent Subscriber-level users from accessing the vulnerable plugin functionality. Monitor plugin updates from sparklewpthemes for a security patch addressing this issue.
CVE-2024-6120: CWE-862 Missing Authorization in sparklewpthemes Sparkle Demo Importer
Description
The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-6120 describes a missing authorization vulnerability in the Sparkle Demo Importer WordPress plugin (all versions up to 1.4.7). Due to lack of proper capability checks on multiple functions, authenticated users with low privileges (Subscriber-level and above) can reset the database and import demo data without proper authorization. This enables deletion of all posts, pages, and uploaded files, and installation of a limited set of demo plugins. The vulnerability is classified under CWE-862 (Missing Authorization). The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact.
Potential Impact
The vulnerability allows unauthorized modification of website content by authenticated users with minimal privileges, specifically enabling deletion of posts, pages, and media files, and installation of demo plugins. There is no direct impact on confidentiality or availability. The integrity of the WordPress site is compromised, potentially causing significant content loss and unauthorized plugin installation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to prevent Subscriber-level users from accessing the vulnerable plugin functionality. Monitor plugin updates from sparklewpthemes for a security patch addressing this issue.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-06-18T11:26:18.203Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6bfab7ef31ef0b55d49b
Added to database: 2/25/2026, 9:39:06 PM
Last enriched: 4/9/2026, 2:53:04 PM
Last updated: 4/12/2026, 6:15:17 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.