Scan free
CRITICALCVE-2024-43311CVSS 9.8

CVE-2024-43311: Privilege Escalation in Login As Users

Platform

wordpress

Component

login-as-users

Fixed in

1.4.3

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2024-43311 describes an Improper Privilege Management vulnerability within the Login As Users WordPress plugin. This flaw allows attackers to escalate privileges, potentially gaining unauthorized access to administrative functions and sensitive data. The vulnerability impacts versions of Login As Users up to and including 1.4.2, with a fix available in version 1.4.3.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The Improper Privilege Management vulnerability allows an attacker to bypass access controls and assume the privileges of other users, potentially including administrators. Successful exploitation could lead to complete compromise of a WordPress site, enabling attackers to modify content, install malicious plugins, steal user credentials, or deface the website. The impact is particularly severe given the plugin's function – allowing users to log in as others – which, when combined with privilege escalation, creates a highly exploitable scenario. This could be leveraged to gain access to sensitive data or perform actions on behalf of other users without authorization.

Exploitation Context

CVE-2024-43311 was publicly disclosed on August 19, 2024. As of this date, no public proof-of-concept exploits have been released. The vulnerability's severity (CVSS 9.8) indicates a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.21% (44% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentlogin-as-users
VendorGeek Code Lab
Affected rangeFixed in
0.0.0 – 1.4.21.4.3

Weakness Classification (CWE)

CWE-269

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-43311 is to immediately upgrade the Login As Users plugin to version 1.4.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct workaround is unavailable, implementing strict user access controls and regularly auditing user permissions can help limit the potential damage if the vulnerability is exploited. Review WordPress user roles and permissions to ensure least privilege is enforced.

How to fix

Actualice el plugin Login As Users a la última versión disponible. La vulnerabilidad de escalada de privilegios ha sido corregida en versiones posteriores a la 1.4.2. Consulte el registro de cambios del plugin para obtener más detalles sobre la corrección.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-43311 — Privilege Escalation in Login As Users?

CVE-2024-43311 is a critical vulnerability in the Login As Users WordPress plugin that allows attackers to escalate privileges and gain unauthorized access.

Am I affected by CVE-2024-43311 in Login As Users?

Yes, if you are using Login As Users version 1.4.2 or earlier, you are affected by this vulnerability.

How do I fix CVE-2024-43311 in Login As Users?

Upgrade the Login As Users plugin to version 1.4.3 or later to remediate the vulnerability. If immediate upgrade is not possible, disable the plugin.

Is CVE-2024-43311 being actively exploited?

As of August 19, 2024, no public exploits are known, but the high severity score suggests a potential for exploitation.

Where can I find the official Login As Users advisory for CVE-2024-43311?

Refer to the Geek Code Lab website and WordPress plugin repository for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs