Unauthenticated Privilege Escalation Vulnerability in Frontend Admin Plugin
CVE-2024-11721

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Frontend Admin By Dynamiapps
Vendor: CVE Published:; 14 December 2024

Summary

The Frontend Admin plugin developed by DynamiApps for WordPress exhibits a vulnerability that enables privilege escalation in all versions up to and including 3.24.5. This vulnerability arises from inadequate controls on the user role selection field in forms, permitting unauthorized users to create new administrative accounts. This situation becomes particularly concerning as it allows for the generation of administrative access despite the absence of the necessary role options provided to unauthenticated users. As a result, websites utilizing this plugin may be significantly at risk, underscoring the importance of applying security measures and updates promptly to mitigate potential exploitation.

Affected Version(s)

Frontend Admin by DynamiApps * <= 3.24.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3204192/acf-...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 14, 2024
Vulnerability Reserved
Nov 25, 2024

Credit

Max Boll