CVE-2024-4958
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.2.0.1 - Missing Authorization to Privilege Escalation
highMissing Authorization
7.1
CVSS Score
7.1
CVSS Score
high
Severity
3.2.1
Patched in
1d
Time to patch
Description
The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_form_action' function in versions up to, and including, 3.2.0.1. This makes it possible for authenticated attackers, with contributor-level permissions and above, to import a registration form with a default user role of administrator. If an administrator approves or publishes a post or page with the shortcode to the imported form, any user can register as an administrator.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HAttack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability
Technical Details
Affected versions
<=3.2.0.1PublishedMay 31, 2024
Last updatedJune 1, 2024
Affected pluginuser-registration
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.