Medium severity5.3NVD Advisory· Published Mar 1, 2024· Updated Apr 8, 2026

CVE-2024-1120

Description

The NextMove Lite – Thank You Page for WooCommerce and Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the download_tools_settings() function in all versions up to, and including, 2.17.0. This makes it possible for unauthenticated attackers to export system information that can aid attackers in an attack.

Affected products

Xlplugins/Finale
cpe:2.3:a:xlplugins:finale:*:*:*:*:lite:wordpress:*:*
Range: <2.18.0
Xlplugins/Nextmove
cpe:2.3:a:xlplugins:nextmove:*:*:*:*:lite:wordpress:*:*
Range: <2.18.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvdPatch
www.wordfence.com/threat-intel/vulnerabilities/id/3d9332be-2cf0-46cd-81e4-6436aeec0f83nvdThird Party Advisory
plugins.trac.wordpress.org/browser/finale-woocommerce-sales-countdown-timer-discount/trunk/includes/wcct-xl-support.phpnvdProduct

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000