CVE-2024-9863

17 Oct 2024

Título es

CVE-2024-9863

Jue, 17/10/2024 – 02:15

Tipo

CWE-266

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-9863

Descripción en

The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.

17/10/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

9.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-registrationform.php#L194

https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file4

https://www.wordfence.com/threat-intel/vulnerabilities/id/f04eab14-dd86-4145-b5eb-20d064bc8417?source=cve

Enviar en el boletín