CVE-2024-1120
The NextMove Lite – Thank You Page for WooCommerce and Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the download_tools_settings() function in all versions up to, and including, 2.17.0. This makes it possible for unauthenticated attackers to export system information that can aid attackers in an attack.
We have discovered 243 live websites that are affected by CVE-2024-1120.
Affected Software
| Product |  Finale Woocommerce Sales Countdown Timer Discount |
| Category | Wordpress Plugins |
| Vulnerable Domains | 243 live websites (20% of Finale Woocommerce Sales Countdown Timer Discount install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 12 versions ( 75% of all versions) |
Details
- Published - Mar 1, 2024
- Updated - Aug 28, 2024
Credits
- Francesco Carlucci (finder)
CVE References
Website Distribution by Country
Number of websites using CVE-2024-1120 United States | 58 websites |
 Germany | 20 websites |
 Italy | 14 websites |
 Spain | 10 websites |
 GB | 10 websites |
 Russia | 10 websites |
 India | 8 websites |
 France | 8 websites |
 Poland | 8 websites |
 Ukraine | 7 websites |
Website Distribution by TLD
Number of websites using CVE-2024-1120| .com | 111 websites |
| .ru | 8 websites |
| .es | 8 websites |
| .pl | 8 websites |
| .it | 6 websites |
| .nl | 5 websites |
| .co.uk | 4 websites |
| .org | 4 websites |
| .co | 3 websites |
| .com.au | 3 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-1120
Top websites that are affected by CVE-2024-1120. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *************.com | United States | ***,*** | |
| *******.com | United States | ***,*** | |
| **********.com | United States | *,***,*** | |
| ****.tw |  Taiwan | *,***,*** | |
| ***.***.au |  Australia | *,***,*** | |
| ***************.ir |  Iran | *,***,*** | |
| *********.pl | Poland | *,***,*** | |
| **********.vn |  Vietnam | *,***,*** | |
| **********.com |  Hong Kong | *,***,*** | |
| ******.ru | Russia | *,***,*** |
FAQ
A total of 243 websites have been identified as vulnerable to CVE-2024-1120, based on global website indexing conducted by WebTechSurvey.
The Finale Woocommerce Sales Countdown Timer Discount is affected by the CVE-2024-1120 vulnerability.
Finale Woocommerce Sales Countdown Timer Discount versions up to and including 2.18 are vulnerable to CVE-2024-1120.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3d9332be-2cf0-46cd-81e4-6436aeec0f83?source=cve
- https://plugins.trac.wordpress.org/browser/finale-woocommerce-sales-countdown-timer-discount/trunk/includes/wcct-xl-support.php#L710
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3042127%40finale-woocommerce-sales-countdown-timer-discount&new=3042127%40finale-woocommerce-sales-countdown-timer-discount&sfp_email=&sfph_mail=