CVE-2021-24602

Published: Aug 23, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page

Affected (1)

Products: Hmplugin: Hm Multiple Roles

Hmplugin

1 product

Hm Multiple Roles

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Hmplugin Hm Multiple Roles	Before 1.3

Related CWEs

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-669

Incorrect Resource Transfer Between Spheres

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

References (4)

https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpress-plugin/

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5

Source: contact@wpscan.com

Third Party Advisory

https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpress-plugin/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.