Plattform
wordpress
Komponente
userplus
Behoben in
2.0.1
CVE-2024-9518 is a privilege escalation vulnerability affecting the UserPlus plugin for WordPress versions up to and including 2.0. An attacker can exploit this flaw to assign themselves an arbitrary user role, including administrator, during the user registration process. This bypasses intended access controls and allows unauthorized actions. A patch is available, and users are strongly advised to upgrade immediately.
The impact of CVE-2024-9518 is severe. An attacker exploiting this vulnerability can bypass standard authentication mechanisms and directly assign themselves an administrator role. This grants them complete control over the WordPress site, including access to sensitive data, modification of content, installation of malicious plugins, and potentially, access to the underlying server. The ease of exploitation, requiring no authentication, significantly increases the risk of widespread compromise, especially for sites using the UserPlus plugin for user management.
CVE-2024-9518 was publicly disclosed on 2024-10-10. Public proof-of-concept (PoC) code is likely to emerge quickly due to the vulnerability's simplicity. The high CVSS score indicates a significant risk, and active exploitation is probable. Monitor security advisories and threat intelligence feeds for further updates.
WordPress websites using the UserPlus plugin, particularly those with user registration enabled, are at risk. Shared hosting environments where multiple WordPress installations share the same server are especially vulnerable, as a compromise of one site could potentially lead to lateral movement to others. Sites with legacy UserPlus configurations or those that haven't regularly updated their plugins are also at increased risk.
• wordpress / composer / npm:
grep -r 'form_actions' /var/www/html/wp-content/plugins/userplus/• wordpress / composer / npm:
grep -r 'userplus_update_user_profile' /var/www/html/wp-content/plugins/userplus/• wordpress / composer / npm:
wp plugin list --status=active | grep userplus• wordpress / composer / npm:
wp plugin update userplusdisclosure
Exploit-Status
EPSS
0.95% (76% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-9518 is to immediately upgrade the UserPlus plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Restrict the ability to assign roles during registration, potentially by disabling the 'role' parameter or implementing stricter validation. Monitor WordPress logs and UserPlus plugin activity for suspicious registration attempts and unauthorized role changes. After upgrading, confirm the fix by attempting a registration with a privileged role and verifying that the assignment fails.
Aktualisieren Sie das UserPlus-Plugin auf die neueste verfügbare Version. Dieses Update behebt die Privilegienerweiterungsvulnerabilität, die es nicht authentifizierten Benutzern ermöglicht, Benutzerrollen während der Registrierung zuzuweisen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-9518 is a critical vulnerability in the UserPlus WordPress plugin allowing unauthenticated attackers to escalate privileges by assigning themselves arbitrary user roles during registration.
You are affected if you are using UserPlus WordPress plugin versions 2.0 or earlier. Upgrade to the latest version as soon as possible.
Upgrade the UserPlus plugin to a patched version. Monitor the UserPlus website and WordPress plugin repository for updates. As a temporary workaround, disable user registration.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation. Monitor security advisories and threat intelligence feeds.
Check the UserPlus website and the WordPress plugin repository for the official advisory regarding CVE-2024-9518.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.