Platform
wordpress
Component
wpcom-member
Fixed in
1.5.3
CVE-2024-7493 is a privilege escalation vulnerability affecting the WPCOM Member plugin for WordPress. This flaw allows unauthenticated attackers to elevate their user role to administrator during the registration process, granting them complete control over the affected WordPress site. The vulnerability impacts versions up to and including 1.5.2.1, and a patch is available from the plugin developers.
The impact of CVE-2024-7493 is severe. Successful exploitation allows an attacker to gain full administrative access to a WordPress site without requiring any prior authentication. This grants them the ability to modify content, install malicious plugins, steal sensitive data (user credentials, financial information), and potentially compromise the entire server. The ease of exploitation, requiring only a successful registration, significantly broadens the attack surface and increases the risk of widespread compromise for WordPress installations using the vulnerable plugin.
CVE-2024-7493 was publicly disclosed on 2024-09-06. No known public exploits or active campaigns have been reported at the time of writing, but the ease of exploitation makes it a likely target. It is not currently listed on the CISA KEV catalog. The vulnerability's simplicity suggests a high probability of exploitation if left unpatched.
Exploit Status
EPSS
1.02% (77% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-7493 is to immediately update the WPCOM Member plugin to a version higher than 1.5.2.1. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent new registrations. While a direct WAF rule is difficult to implement, monitoring for unusual user registration patterns (e.g., rapid role changes) can provide early detection. After upgrading, verify the fix by attempting a new user registration and confirming that the user role is not automatically elevated to administrator.
Update the WPCOM Member plugin to the latest available version. Version 1.5.2.2 or higher corrects this privilege escalation vulnerability. This will prevent unauthenticated users from registering as administrators.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-7493 is a critical vulnerability in the WPCOM Member plugin for WordPress allowing unauthenticated attackers to gain administrator privileges during user registration.
You are affected if your WordPress site uses the WPCOM Member plugin version 1.5.2.1 or earlier. Check your plugin version and update immediately.
Update the WPCOM Member plugin to a version higher than 1.5.2.1. If immediate upgrade is not possible, temporarily disable the plugin.
While no active exploitation has been confirmed, the vulnerability's simplicity makes it a likely target. Monitor your site closely.
Refer to the official WPCOM Member plugin website or WordPress.org plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.