Platform
wordpress
Component
userplus
Fixed in
2.0.1
CVE-2024-9518 is a privilege escalation vulnerability affecting the UserPlus plugin for WordPress versions up to and including 2.0. An attacker can exploit this flaw to assign themselves an arbitrary user role, including administrator, during the user registration process. This bypasses intended access controls and allows unauthorized actions. A patch is available, and users are strongly advised to upgrade immediately.
The impact of CVE-2024-9518 is severe. Successful exploitation allows an unauthenticated attacker to register a new user with any desired role, effectively bypassing WordPress's standard user management system. This could lead to complete compromise of the WordPress site, including data theft, modification, and defacement. An attacker with administrator privileges can install malicious plugins, modify core files, and gain full control over the server. The vulnerability's ease of exploitation, combined with the widespread use of WordPress, makes it a significant threat.
CVE-2024-9518 was publicly disclosed on 2024-10-10. The vulnerability's simplicity and the popularity of the UserPlus plugin suggest a high probability of exploitation. No public proof-of-concept (POC) code has been identified as of this writing, but the ease of exploitation makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.95% (76% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-9518 is to upgrade the UserPlus plugin to a version that addresses the vulnerability. The vendor has not released a specific fixed version in the input, so monitor the UserPlus website and WordPress plugin repository for updates. As a temporary workaround, consider disabling user registration or implementing stricter role-based access controls within WordPress itself. Regularly review user accounts and permissions for any suspicious activity. After upgrading, verify the fix by attempting a new user registration with an unauthorized role to confirm that the role assignment is properly restricted.
Update the UserPlus plugin to the latest available version. This update corrects the privilege escalation vulnerability that allows unauthenticated users to assign user roles during registration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9518 is a critical vulnerability in the UserPlus WordPress plugin allowing unauthenticated attackers to escalate privileges by assigning themselves arbitrary user roles during registration.
You are affected if you are using UserPlus WordPress plugin versions 2.0 or earlier. Upgrade to the latest version as soon as possible.
Upgrade the UserPlus plugin to a patched version. Monitor the UserPlus website and WordPress plugin repository for updates. As a temporary workaround, disable user registration.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation. Monitor security advisories and threat intelligence feeds.
Check the UserPlus website and the WordPress plugin repository for the official advisory regarding CVE-2024-9518.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.