CVE Vulnerabilities

CVE-2024-9863

Incorrect Privilege Assignment

Published: Oct 17, 2024 | Modified: Oct 18, 2024
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io minimus.io echohq.com

The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure administrator default value for the default_user_role option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.

Weakness

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Potential Mitigations

References