HM Multiple Roles < 1.3 - Arbitrary Role Change

Description

The plugin does not have any access control to prevent low privilege users to set themselves as admin via their profile page

Proof of Concept

As any authenticated user, go to your Profile page and Tick the Administrator Role checkbox. In v1.2, the checkboxes are disabled in the UI but can be tampered with by either using the web browser developer tool or a proxy such as Burp Suite

Affects Plugins

hm-multiple-roles

Fixed in version 1.3✓

References

CVE

CVE-2021-24602

URL

https://wordpress.org/support/topic/security-issue-117/

URL

https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpress-plugin/

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-269

Miscellaneous

Original Researcher

clemorphy

Verified

Yes

WPVDB ID

5fd2548a-08de-4417-bff1-f174dab718d5

Timeline

Publicly Published

2021-07-20 (about 2 months ago)

Added

2021-07-20 (about 2 months ago)

Last Updated

2021-08-10 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin