HIGHCVE-2024-9192CVSS 8.8

WP Video Robot <= 1.20.0 - 认证 (订阅者+) 权限提升漏洞通过用户元数据更新

Q: What is CVE-2024-9192 — Privilege Escalation in WordPress Video Robot?

CVE-2024-9192 is a vulnerability allowing authenticated subscribers to gain administrator privileges in the WordPress Video Robot plugin, potentially compromising site control.

Q: Am I affected by CVE-2024-9192 in WordPress Video Robot?

You are affected if you are using WordPress Video Robot plugin version 1.20.0 or earlier. Check your plugin version and update immediately.

Q: How do I fix CVE-2024-9192 in WordPress Video Robot?

Update the WordPress Video Robot plugin to a version newer than 1.20.0. This patch resolves the privilege escalation vulnerability.

Q: Is CVE-2024-9192 being actively exploited?

While no public exploits are currently available, the ease of exploitation suggests a potential for active exploitation. Monitor your site for suspicious activity.

Q: Where can I find the official WordPress Video Robot advisory for CVE-2024-9192?

Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.

平台

wordpress

组件

wp-video-robot

修复版本

1.20.1

AI Confidence: highNVDEPSS 0.2%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2024-9192 is a privilege escalation vulnerability discovered in the WordPress Video Robot - The Ultimate Video Importer plugin. An attacker with subscriber-level access or higher can exploit this flaw to elevate their privileges to administrator, gaining full control of the WordPress site. This vulnerability affects versions up to and including 1.20.0. A patch is available from the plugin developer.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

This vulnerability allows authenticated users with subscriber access or higher to bypass access controls and gain administrator privileges. An attacker could leverage this to modify site content, install malicious plugins, steal sensitive data, or completely compromise the WordPress installation. The impact is significant, as it allows for complete control over the affected website. This vulnerability highlights the importance of proper access control validation within WordPress plugins, particularly when handling user meta data.

利用背景翻译中…

This vulnerability was publicly disclosed on 2024-11-16. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation suggests a potential for rapid adoption. The vulnerability is not currently listed on the CISA KEV catalog. Given the plugin's popularity and the relatively straightforward exploitation path, active exploitation is possible.

哪些人处于风险中翻译中…

Websites using the WordPress Video Robot plugin, particularly those with subscriber-level users who have access to modify site content or settings, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to lateral movement to others.

检测步骤翻译中…

• wordpress / composer / npm:

wp plugin list | grep 'Video Robot'

• wordpress / composer / npm:

wp plugin update --all

• wordpress / composer / npm:

grep -r 'wpvr_rate_request_result' /var/www/html/wp-content/plugins/video-robot/

• wordpress / composer / npm:

wp plugin status | grep 'Video Robot'

攻击时间线

2024-11-16Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.20% (43% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响total

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 低 — 任何有效用户账户均可。
User Interaction: 无 — 攻击自动且无声，受害者无需任何操作。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 高 — 完全丧失机密性，攻击者可读取所有数据。
Integrity: 高 — 攻击者可写入、修改或删除任何数据。
Availability: 高 — 完全崩溃或资源耗尽，完全拒绝服务。

受影响的软件

组件wp-video-robot

供应商pressaholic

影响范围修复版本

* – 1.20.01.20.1

弱点分类 (CWE)

CWE-269

时间线

已保留2024-09-25
发布日期2024-11-16
修改日期2024-11-19
EPSS 更新日期2026-04-02

未修复 — 披露已554天

缓解措施和替代方案翻译中…

The primary mitigation is to immediately update the WordPress Video Robot plugin to a version newer than 1.20.0, as the developer has released a patch. If upgrading is not immediately feasible, consider restricting access to the plugin's settings or implementing stricter user role permissions to limit the potential impact. Regularly review user roles and permissions to ensure they align with the principle of least privilege. Monitor WordPress logs for suspicious activity related to user meta updates.

修复方法翻译中…

Actualice el plugin WordPress Video Robot a la última versión disponible. Esto solucionará la vulnerabilidad de escalada de privilegios.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2024-9192 — Privilege Escalation in WordPress Video Robot?

CVE-2024-9192 is a vulnerability allowing authenticated subscribers to gain administrator privileges in the WordPress Video Robot plugin, potentially compromising site control.

Am I affected by CVE-2024-9192 in WordPress Video Robot?

You are affected if you are using WordPress Video Robot plugin version 1.20.0 or earlier. Check your plugin version and update immediately.

How do I fix CVE-2024-9192 in WordPress Video Robot?

Update the WordPress Video Robot plugin to a version newer than 1.20.0. This patch resolves the privilege escalation vulnerability.

Is CVE-2024-9192 being actively exploited?

While no public exploits are currently available, the ease of exploitation suggests a potential for active exploitation. Monitor your site for suspicious activity.

Where can I find the official WordPress Video Robot advisory for CVE-2024-9192?

Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE