Platform
wordpress
Component
userpro
Opgelost in
5.1.9
CVE-2024-35700 describes an Improper Privilege Management vulnerability within the DeluxeThemes UserPro WordPress plugin. This flaw allows attackers to escalate privileges, potentially gaining unauthorized access to sensitive data and functionality. The vulnerability impacts versions of UserPro up to and including 5.1.8, with a fix available in version 5.1.9.
The Improper Privilege Management vulnerability in UserPro allows an attacker to bypass intended access controls and gain elevated privileges within the WordPress environment. This could enable them to modify user roles, access restricted content, install malicious plugins, or even compromise the entire WordPress installation. The potential impact is significant, especially in environments where UserPro is used to manage user profiles and access levels. Successful exploitation could lead to data breaches, website defacement, and complete system takeover. The CRITICAL CVSS score of 9.8 reflects the ease of exploitation and the severity of the potential consequences.
CVE-2024-35700 was publicly disclosed on June 4, 2024. Currently, there are no publicly available proof-of-concept exploits. The vulnerability's ease of exploitation, combined with UserPro's popularity, suggests a potential for rapid exploitation if a PoC is released. It is advisable to prioritize patching to minimize risk. The vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing DeluxeThemes UserPro for user management, particularly those with custom user roles or restricted access areas, are at significant risk. Shared hosting environments where UserPro is installed on a multi-tenant server are especially vulnerable, as a compromise of one UserPro instance could potentially impact other websites on the same server.
• wordpress / composer / npm:
wp plugin list | grep UserPro• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status UserPro• wordpress / composer / npm:
grep -r 'user_can' /var/www/html/wp-content/plugins/userpro/disclosure
Exploit Status
EPSS
0.63% (70% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-35700 is to immediately upgrade DeluxeThemes UserPro to version 5.1.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to UserPro's administrative features. While not a complete solution, implementing strict user role permissions and regularly auditing UserPro configurations can help limit the potential impact. Monitor WordPress logs for suspicious activity related to UserPro, particularly attempts to modify user roles or access restricted areas. After upgrading, verify the fix by attempting to access administrative functions with a limited user account.
Actualice el plugin UserPro a la última versión disponible. Si no hay una versión disponible que corrija la vulnerabilidad, considere deshabilitar o eliminar el plugin hasta que se publique una actualización segura. Consulte el sitio web del proveedor para obtener más información y actualizaciones.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-35700 is a critical vulnerability in DeluxeThemes UserPro allowing attackers to elevate privileges within a WordPress environment, potentially gaining unauthorized access.
You are affected if you are using DeluxeThemes UserPro version 5.1.8 or earlier. Upgrade to 5.1.9 or later to mitigate the risk.
Upgrade DeluxeThemes UserPro to version 5.1.9 or later. If immediate upgrade is not possible, restrict access to UserPro's administrative features.
As of now, there are no publicly known active exploitation campaigns, but the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the DeluxeThemes website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-35700.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.