FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-9518

Improper Privilege Management (CWE-269)

Published: Oct 10, 2024 / Updated: 41d ago

010
CVSS 9.8EPSS 0.09%Critical
CVE info copied to clipboard

The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and 'userplus_update_user_profile' functions. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9518

Oct 10, 2024 at 2:15 AM
First Article

Feedly found the first article mentioning CVE-2024-9518. See article

Oct 10, 2024 at 2:21 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 10, 2024 at 2:21 AM
EPSS

EPSS Score was set to: 0.09% (Percentile: 39.8%)

Oct 10, 2024 at 10:30 AM
Static CVE Timeline Graph

Affected Systems

Wpuserplus/userplus
+null more

Links to Mitre Att&cks

T1548: Abuse Elevation Control Mechanism
+null more

Attack Patterns

CAPEC-122: Privilege Abuse
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 7, 2024 to October 13, 2024)
Blog - Wordfence / 33d
WordPress Plugins with Reported Vulnerabilities Last Week The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
CVE-2024-9518
INCIBE-CERT - Vulnerabilities RSS / 40d
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Critical - CVE-2024-9518 - The UserPlus plugin for WordPress is vulnerable...
Security-Database Alerts Monitor : Last 100 Alerts / 40d
The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and...
UserPlus <= 2.0 - Unauthenticated Privilege Escalation
41d
Userplus - CRITICAL - CVE-2024-9518 The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and 'userplus_update_user_profile' functions. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.
CVE / 41d
WORDPRESS USERPLUS USER REGISTRATION & USER PROFILE – USERPLUS CVE-2024-9518 CVE-2024-9518 UserPlus https://www. cve.org/CVERecord?id=CVE-2024- 9518 https://www. wordfence.com/threat-intel/vul nerabilities/id/2489e649-27f7-4ca0-8655-0957016fa89a?source=cve https:// plugins.trac.wordpress.org/bro wser/userplus/trunk/functions/user-functions.php?rev=1604604#L47 # wordpress # userplus # Userregistration &userprofile–UserPlus # CVE_2024_9518 # bot
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 9.8(27010)CWE-269(2761)Wpuserplus(4)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial