8.8
CVE-2021-24602
- EPSS 1.51%
- Veröffentlicht 23.08.2021 12:15:10
- Zuletzt bearbeitet 21.11.2024 05:53:23
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginHM Multiple Roles < 1.3 - Arbitrary Role Change
HM Multiple Roles <= 1.2 - Privilege Escalation via Arbitrary Role Change
The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page
Mögliche Gegenmaßnahme
HM Multiple Roles: Update to version 1.3, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Hmplugin ≫ Hm Multiple Roles SwPlatformwordpress Version < 1.3
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
HM Multiple Roles
Version
*-1.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.51% | 0.711 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-669 Incorrect Resource Transfer Between Spheres
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpress-plugin/
https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5
https://www.wordfence.com/threat-intel/vulnerabilities/id/14f0df3e-4333-49d8-a318-6f9fa614c23e