प्लेटफ़ॉर्म
wordpress
घटक
acf-frontend-form-element
में ठीक किया गया
3.24.6
CVE-2024-11721 is a privilege escalation vulnerability affecting the Frontend Admin plugin by DynamiApps for WordPress. This flaw allows unauthenticated attackers to create new administrative user accounts, effectively bypassing role-based access controls. The vulnerability impacts versions of the plugin up to and including 3.24.5. A patch is available to address this issue.
The primary impact of CVE-2024-11721 is the ability for an unauthenticated attacker to gain administrative privileges within a WordPress site. This grants them complete control over the site, including the ability to modify content, install malicious plugins, access sensitive data, and potentially compromise the entire server. The ease of exploitation, requiring only access to a vulnerable form, significantly increases the risk. This vulnerability resembles other privilege escalation flaws where insufficient input validation allows unauthorized users to elevate their access level.
CVE-2024-11721 was publicly disclosed on December 14, 2024. While no public proof-of-concept (PoC) has been widely released, the ease of exploitation suggests a high probability of active exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The NVD entry was published on the same date as the public disclosure.
WordPress sites utilizing the Frontend Admin plugin, particularly those with publicly accessible forms and insufficient access controls, are at risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise on one site could potentially lead to lateral movement and compromise other sites.
• wordpress / composer / npm:
grep -r 'user_role_select' /var/www/html/wp-content/plugins/frontend-admin/• wordpress / composer / npm:
wp plugin list --status=inactive | grep frontend-admin• wordpress / composer / npm:
wp plugin update frontend-admin --alldisclosure
एक्सप्लॉइट स्थिति
EPSS
0.24% (47% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-11721 is to immediately upgrade the Frontend Admin plugin to a version higher than 3.24.5, where the vulnerability has been patched. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the vulnerable form using WordPress's built-in access control mechanisms. Implement a Web Application Firewall (WAF) rule to block requests attempting to create users with administrative privileges from unauthenticated sources. Monitor WordPress logs for suspicious user creation attempts.
Actualice el plugin Frontend Admin by DynamiApps a la última versión disponible. Esto corrige la vulnerabilidad de escalada de privilegios que permite la creación de cuentas de administrador no autorizadas.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-11721 is a vulnerability in the Frontend Admin WordPress plugin allowing unauthenticated users to create admin accounts. It has a CVSS score of 8.1 (HIGH).
Yes, if you are using Frontend Admin by DynamiApps version 3.24.5 or earlier, you are vulnerable to this privilege escalation flaw.
Upgrade the Frontend Admin plugin to a version higher than 3.24.5. If immediate upgrade is not possible, restrict access to the vulnerable form and implement WAF rules.
While no public PoC exists, the ease of exploitation suggests a high probability of active exploitation.
Refer to the DynamiApps website and WordPress plugin repository for the latest security advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।