Platform
wordpress
Component
wpgym
Fixed in
67.1.1
CVE-2024-9941 describes a privilege escalation vulnerability within the WPGYM WordPress Gym Management System plugin. This flaw allows authenticated users with subscriber-level access or higher to elevate their privileges and create new user accounts with administrator roles. The vulnerability affects versions of the plugin up to and including 67.1.0. A patch is available to resolve this issue.
The impact of this vulnerability is significant. An attacker, already logged in with a subscriber account, can bypass access controls and create a new administrator account. This grants them complete control over the WordPress site, including access to sensitive data, the ability to modify content, install malicious plugins, and potentially compromise the entire system. This effectively allows an attacker to gain full administrative privileges without needing to crack passwords or exploit other vulnerabilities. The ease of exploitation, requiring only subscriber access, significantly broadens the attack surface.
CVE-2024-9941 was publicly disclosed on 2024-11-23. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity suggests that a PoC could be developed relatively easily. It is not currently listed on the CISA KEV catalog. Active exploitation is not yet confirmed, but the ease of exploitation warrants close monitoring.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-9941 is to immediately upgrade the WPGYM plugin to a version that includes the security fix. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider restricting user roles and permissions within WordPress to limit the potential impact of a successful attack. Implement strict access controls and regularly audit user accounts. While a WAF or proxy cannot directly prevent this vulnerability, it can help detect and block suspicious activity related to user creation. After upgrading, verify the fix by attempting to create a new user account with administrator privileges using a subscriber account – the action should be denied.
Actualice el plugin WPGYM - Wordpress Gym Management System a la última versión disponible. La vulnerabilidad permite a usuarios autenticados con nivel de suscriptor o superior crear cuentas de administrador, lo que puede comprometer la seguridad del sitio web.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9941 is a privilege escalation vulnerability in the WPGYM WordPress plugin, allowing subscribers to create admin accounts.
You are affected if you are using WPGYM plugin versions 67.1.0 or earlier.
Upgrade the WPGYM plugin to the latest version that includes the security fix.
Active exploitation is not yet confirmed, but the vulnerability's simplicity warrants close monitoring.
Refer to the WPGYM plugin website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.