Privilege Escalation Vulnerability in ForumWP Allows Attackers to Reset Admin Passwords
CVE-2024-8428

8.8HIGH

Key Information:

Vendor

Wordpress
Status
ForumWP – Forum & Discussion Board Plugin
Vendor
CVE Published:
6 September 2024

What is CVE-2024-8428?

The ForumWP – Forum & Discussion Board Plugin for WordPress is susceptible to a privilege escalation issue through an insecure direct object reference. This vulnerability arises from a lack of proper validation on the 'user_id' key, which is controlled by users. Authenticated attackers with at least subscriber-level permissions are able to exploit this flaw to alter the email addresses associated with administrative accounts. This action can subsequently facilitate a password reset for admin users, potentially allowing unauthorized access to their accounts. It highlights a crucial need for stringent validation processes to safeguard sensitive user data and administrative credentials.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ForumWP – Forum & Discussion Board Plugin * <= 2.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/forumwp/trunk/...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wesley
JSON
.