UserPro Plugin for WordPress Exposed to Privilege Escalation Risk
CVE-2024-12822

9.8CRITICAL

Key Information:

Vendor: Deluxethemes
Status: Media Manager For Userpro
Vendor: CVE Published:; 30 January 2025

Summary

The Media Manager for UserPro plugin for WordPress has a critical vulnerability that allows unauthenticated attackers to modify data due to a missing capability check in the add_capto_img() function. This flaw permits the alteration of arbitrary options on the WordPress site, potentially enabling attackers to elevate their permissions to administrative levels. With this access, malicious users could configure the default registration role to administrator and exploit the vulnerability to commandeer the website.

Affected Version(s)

Media Manager for UserPro * <= 3.11.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/media-manager-for-userpro/866...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 30, 2025
Vulnerability Reserved
Dec 19, 2024

Credit

Lucio Sá