9.8

CVE-2024-6624

EPSS 39.28%
Veröffentlicht 11.07.2024 07:15:06
Zuletzt bearbeitet 21.11.2024 09:50:01
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

JSON API User <= 3.9.3 - Unauthenticated Privilege Escalation

The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. This is due to improper controls on custom user meta fields. This makes it possible for unauthenticated attackers to register as administrators on the site. The plugin requires the JSON API plugin to also be installed.

Mögliche Gegenmaßnahme

JSON API User: Update to version 3.9.4, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 8

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt JSON API User

Version *-3.9.3

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parorrey ≫ Json Api User SwPlatformwordpress Version < 3.9.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	39.28%	0.971

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://plugins.trac.wordpress.org/browser/json-api-user/trunk/controllers/User.php#L187

Product

https://plugins.trac.wordpress.org/browser/json-api-user/trunk/controllers/User.php#L51

Product

https://plugins.trac.wordpress.org/changeset/3115185/

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/a4a26f60-5912-4d4a-8ef8-e4357c1fb1ff?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/a4a26f60-5912-4d4a-8ef8-e4357c1fb1ff

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-6624

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6624

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6624

EUVD