Platform
wordpress
Component
json-api-user
Fixed in
3.9.4
A critical privilege escalation vulnerability (CVE-2024-6624) has been identified in the JSON API User plugin for WordPress, affecting versions up to and including 3.9.3. This flaw allows unauthenticated attackers to register as administrators on the site, effectively gaining full control. The vulnerability stems from improper controls on custom user meta fields and requires the JSON API plugin to also be installed. A patch is available to address this issue.
The impact of CVE-2024-6624 is severe. An unauthenticated attacker can exploit this vulnerability to register themselves as an administrator on a WordPress site. This grants them complete control over the site, including the ability to modify content, install malicious plugins, access sensitive data, and potentially compromise the entire server. The requirement for the JSON API plugin to also be installed broadens the attack surface, as many WordPress sites utilize this plugin for API functionality. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale compromise if exploited.
CVE-2024-6624 was publicly disclosed on 2024-07-11. While no public proof-of-concept (PoC) has been widely released, the ease of exploitation makes it likely that attackers are actively scanning for vulnerable instances. The vulnerability's criticality and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
43.45% (97% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6624 is to immediately upgrade the JSON API User plugin to a version beyond 3.9.3. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict user registration policies and limiting access to sensitive areas of the site can help reduce the potential impact. Monitor WordPress access logs for suspicious registration attempts. After upgrading, confirm the fix by attempting to register a new user without authentication and verifying that the registration fails.
Update the JSON API User plugin to the latest available version. This will fix the privilege escalation vulnerability that allows unauthenticated attackers to register as administrators on the site.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6624 is a critical vulnerability in the JSON API User plugin for WordPress versions up to 3.9.3, allowing unauthenticated attackers to register as administrators.
Yes, if you are using the JSON API User plugin in WordPress and are running a version 3.9.3 or earlier, you are affected by this vulnerability.
Upgrade the JSON API User plugin to a version greater than 3.9.3. If immediate upgrade is not possible, temporarily disable the plugin.
While no public PoC exists, the vulnerability's criticality and ease of exploitation suggest a high probability of active exploitation.
Refer to the official JSON API User plugin website or the WordPress security advisory for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.