UnAuthenticated Privilege Escalation in WPCOM Member Plugin

CVE-2024-7493

9.8CRITICAL

Key Information

Vendor: Whyun
Status: WPcom Member
Vendor: CVE Published:; 6 September 2024

Summary

The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registration. This makes it possible for unauthenticated attackers to update their role to that of an administrator during registration.

Affected Version(s)

WPCOM Member <= 1.5.2.1

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Disclosed
Sep 6, 2024
Vulnerability published.
Sep 6, 2024
Vulnerability Reserved.
Aug 5, 2024

Collectors

NVD DatabaseMitre Database

Credit

wesley