← Back

CVE-2024-8246

nvd nist
Published: Sep 14, 2024Modified: Sep 26, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: security@wordfence.com (Secondary)

Description

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8.11. This is due to plugin not properly restricting what users have access to set the default role on registration forms. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with a custom role that allows them to register as administrators.

Affected (1)

Themekraft
1 product
Buddyforms
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Buddyforms
Before 2.8.12

Related CWEs

CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (2)

Source: security@wordfence.com
Patch
Source: security@wordfence.com
Third Party Advisory

Timeline

No history available yet.