CVE-2024-9941

Published: Nov 23, 2024Modified: Nov 26, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: security@wordfence.com (Secondary)

Description

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the MJ_gmgt_add_staff_member() function in all versions up to, and including, 67.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to create new user accounts with the administrator role.

Affected (1)

Products: Mojoomla: Wordpress Gym Management System

1 product

Wordpress Gym Management System

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mojoomla Wordpress Gym Management System	Before 67.2.0

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964

Source: security@wordfence.com

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/cbff92c1-8492-4d0d-bd90-8fd33625bf6f?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.