WordPress Plugin Vulnerabilities

UserPlus <= 2.0 - Privilege Escalation

Description

The User registration & user profile – UserPlus plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to gain administrator privileges.

Affects Plugins

Plugin icon
userplus
No known fix

References

CVE
CVE-2024-52442
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6b26f41e-fab8-4fe4-b5ab-4c238a433eab

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
João Pedro Soares de Alcântara
Verified
No
WPVDB ID
0f2ddc11-90b8-42d1-8ea4-f6d6fd9e8077

Timeline

Publicly Published
2024-11-18 (about 1 year ago)
Added
2024-11-26 (about 1 year ago)
Last Updated
2024-11-26 (about 1 year ago)

Other

Published
Title
Published
2025-10-31
Title
Qi Blocks < 1.4.4 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update
Published
2023-09-05
Title
Click To Tweet <= 2.0.14 - Missing Authorization
Published
2024-11-08
Title
Th Shop Mania < 1.5.0 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Published
2022-02-28
Title
Unauthorised AJAX Calls via Freemius
Published
2022-11-07
Title
LoginPress < 1.6.3 - Unauthenticated Settings Update