平台
wordpress
组件
buddyforms
修复版本
2.8.12
A privilege escalation vulnerability has been identified in the Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress. This flaw allows authenticated attackers with contributor-level access or higher to escalate their privileges to administrator roles by crafting custom registration forms. The vulnerability impacts versions up to and including 2.8.11. A patch is available to address this issue.
This vulnerability poses a significant risk to WordPress websites utilizing the affected plugin. An attacker who has already gained contributor-level access can leverage this flaw to create a registration form that automatically assigns new users the administrator role. This effectively grants the attacker complete control over the website, including the ability to modify content, install malicious plugins, and access sensitive data. The potential impact includes data breaches, website defacement, and complete compromise of the WordPress installation. This is similar to other privilege escalation vulnerabilities where an attacker can bypass access controls to gain elevated permissions.
This CVE was publicly disclosed on 2024-09-14. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is likely to be medium, given the relatively straightforward nature of the exploit and the widespread use of WordPress. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
WordPress websites using the Post Form plugin, particularly those with contributor-level users who have access to modify registration forms, are at risk. Shared hosting environments where users have limited control over plugin configurations are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'wp_set_role( ' /var/www/html/wp-content/plugins/post-form-for-user-profiles/• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'post-form-for-user-profiles'• wordpress / composer / npm:
wp plugin update --alldisclosure
漏洞利用状态
EPSS
0.42% (62% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade the Post Form plugin to a version newer than 2.8.11, where the vulnerability has been addressed. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider restricting user roles and permissions within WordPress itself to limit the potential impact. Implement strict access controls and regularly review user roles. Additionally, monitor WordPress logs for suspicious activity related to user registration and role assignment. After upgrading, verify the fix by attempting to create a registration form with a custom role and confirming that it does not allow registration as an administrator.
Actualice el plugin Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) a la versión más reciente disponible. Esto solucionará la vulnerabilidad de escalada de privilegios permitiendo que usuarios con nivel de contribuidor o superior creen formularios de registro que les permitan registrarse como administradores.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-8246 is a high-severity vulnerability in the WordPress Post Form plugin allowing authenticated contributors to escalate to administrator roles via custom registration forms.
You are affected if you are using the Post Form plugin version 2.8.11 or earlier. Check your plugin versions and upgrade immediately.
Upgrade the Post Form plugin to a version greater than 2.8.11. If immediate upgrade is not possible, restrict user roles and monitor logs.
Currently, there are no confirmed reports of active exploitation, but it is a high-severity vulnerability and should be addressed promptly.
Refer to the WordPress security announcements page for the latest information and updates regarding this vulnerability: https://wordpress.org/news/
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。