CVE-2024-9192

Improper Privilege Management (CWE-269)

Published: Nov 16, 2024 / Updated: 4d ago

010
CVSS 8.8EPSS 0.05%High
CVE info copied to clipboard

Summary

The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress is vulnerable to privilege escalation due to insufficient validation on user meta that can be updated in the wpvr_rate_request_result() function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta on a WordPress site. This can be leveraged to update their capabilities to that of an administrator.

Impact

This vulnerability allows authenticated attackers with subscriber-level access or higher to escalate their privileges to administrator level. This can lead to complete compromise of the WordPress site, as an attacker could gain full control over the site's content, settings, and user data. The attacker could potentially install malicious plugins, modify existing content, access sensitive information, or use the compromised site for further attacks.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not available as of the latest information provided. The vulnerability affects all versions of the WordPress Video Robot - The Ultimate Video Importer plugin up to and including version 1.20.0.

Mitigation

1. Immediately disable the WordPress Video Robot - The Ultimate Video Importer plugin if it is not critical for operations. 2. If the plugin must be used, limit user accounts with subscriber-level access and above to only trusted individuals. 3. Monitor user activity and permissions closely for any unexpected changes. 4. Keep an eye out for updates from the plugin developer and apply any security patches as soon as they become available. 5. Consider implementing additional security measures such as web application firewalls or security plugins to help detect and prevent unauthorized privilege escalation attempts.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9192. See article

Nov 16, 2024 at 3:38 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 16, 2024 at 3:38 AM
CVE Assignment

NVD published the first details for CVE-2024-9192

Nov 16, 2024 at 4:15 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Nov 16, 2024 at 4:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 20.6%)

Nov 16, 2024 at 10:07 AM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

Links to Mitre Att&cks

T1548: Abuse Elevation Control Mechanism
+null more

Attack Patterns

CAPEC-122: Privilege Abuse
+null more

News

CVE-2024-9192
Gravedad 3.1 (CVSS 3.1 Base Score) The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress is vulnerable to privilege escalation due to insufficient validation on user meta that can be updated in the wpvr_rate_request_result() function in all versions up to, and including, 1.20.0.
Privilege Escalation Vulnerability in WordPress Video Robot's Ultimate Video Importer Plugin
Pressaholic - HIGH - CVE-2024-9192 The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress is vulnerable to privilege escalation due to insufficient validation on user meta that can be updated in the wpvr_rate_request_result() function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta on a WordPress site. This can be leveraged to update their capabilities to that of an administrator.
CVE-2024-9192 - WordPress Video Robot Privilege Escalation Vulnerability
CVE ID : CVE-2024-9192 Published : Nov. 16, 2024, 4:15 a.m. 48 minutes ago Description : The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress is vulnerable to privilege escalation due to insufficient validation on user meta that can be updated in the wpvr_rate_request_result() function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta on a WordPress site. This can be leveraged to update their capabilities to that of an administrator. Severity:
CVE-2024-9192
The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress is vulnerable to privilege escalation due to insufficient validation on user meta that can be updated in the wpvr_rate_request_result() function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta on a WordPress site. This can be leveraged to update their capabilities to that of an...
Content warning: PRESSAHOLIC WORDPRESS VIDEO ROBOT - THE ULTIMATE VIDEO IMPORTER CVE-2024-9192 CVE-2024-9192 WP Video Robot https://www. cve.org/CVERecord?id=CVE-2024- 9192 https://www. wordfence.com/threat-intel/vul nerabilities/id/2da019d3-4aca-485a-aa0c-73728dc1e7c1?source=cve https:// codecanyon.net/item/wordpress- video-robot-plugin/8619739 # pressaholic # WordPressVideoRobot -TheUltimateVideoImporter # CVE_2024_9192 # bot
See 2 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI