CVE-2024-3668

EPSS 0.18%
Veröffentlicht 08.06.2024 05:15:40
Zuletzt bearbeitet 08.04.2025 14:04:49
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

PowerPack Pro for Elementor <= 2.10.17 - Authenticated (Contributor+) Privilege Escalation

The PowerPack Pro for Elementor plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.10.17. This is due to the plugin not restricting low privileged users from setting a default role for a registration form. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with administrator set as the default role and then register as an administrator.

Mögliche Gegenmaßnahme

PowerPack Pro for Elementor: Update to version 2.10.18, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt PowerPack Pro for Elementor

Version *-2.10.17

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ideabox ≫ Powerpack Addons For Elementor SwEditionpro SwPlatformwordpress Version < 2.10.18

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.399

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://powerpackelements.com/change-logs/

Release Notes

https://www.wordfence.com/threat-intel/vulnerabilities/id/249ccc77-0daf-41bc-b5c5-991bf17d645d?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/249ccc77-0daf-41bc-b5c5-991bf17d645d

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-3668

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-3668

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-3668

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-3668