Platform
wordpress
Component
post-meta-data-manager
Fixed in
1.4.4
1.4.5
CVE-2024-13835 is a privilege escalation vulnerability discovered in the Post Meta Data Manager plugin for WordPress. An authenticated attacker with Administrator-level access can exploit this flaw to gain elevated privileges on subsites within a multisite WordPress installation. This vulnerability affects versions of the plugin up to and including 1.4.4. A patch is available to resolve this issue.
This vulnerability allows an authenticated administrator on a WordPress multisite installation to bypass access controls and gain administrative privileges on subsites they would normally not have access to. An attacker could leverage this to modify site content, install malicious plugins or themes, or compromise user accounts on those subsites. The potential impact extends to data breaches, website defacement, and complete site takeover of affected subsites. This vulnerability highlights the importance of proper access control verification within WordPress plugins, especially in multisite environments.
CVE-2024-13835 was publicly disclosed on 2025-03-07. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is dependent on the presence of a WordPress multisite installation and the attacker's ability to obtain administrator-level access to the main site.
Exploit Status
EPSS
0.22% (45% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13835 is to upgrade the Post Meta Data Manager plugin to a version higher than 1.4.4, where the vulnerability has been addressed. If immediate upgrading is not possible due to compatibility concerns or testing requirements, consider restricting administrator access to the main site and implementing stricter user role permissions on subsites. Regularly review user roles and permissions to ensure they align with the principle of least privilege. After upgrading, confirm the fix by attempting to access a subsites as a user with limited privileges and verifying that access is denied.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13835 is a vulnerability in the Post Meta Data Manager plugin for WordPress that allows authenticated administrators to gain elevated privileges on subsites within a multisite installation.
You are affected if you are using the Post Meta Data Manager plugin in a WordPress multisite environment and are running a version equal to or less than 1.4.4.
Upgrade the Post Meta Data Manager plugin to a version greater than 1.4.4. This resolves the privilege escalation vulnerability.
As of the current date, there are no known public exploits or active campaigns targeting CVE-2024-13835.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.