HM Multiple Roles < 1.3 – Arbitrary Role Change | CVE 2021-24602

Description

The plugin does not have any access control to prevent low privilege users to set themselves as admin via their profile page

Proof of Concept

As any authenticated user, go to your Profile page and Tick the Administrator Role checkbox. In v1.2, the checkboxes are disabled in the UI but can be tampered with by either using the web browser developer tool or a proxy such as Burp Suite

Affects Plugins

hm-multiple-roles

Fixed in 1.3

References

CVE

CVE-2021-24602

URL

https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpress-plugin/

URL

https://wordpress.org/support/topic/security-issue-117/

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-269

CVSS

9.9 (critical)

Miscellaneous

Original Researcher

clemorphy

Verified

Yes

WPVDB ID

5fd2548a-08de-4417-bff1-f174dab718d5

Timeline

Publicly Published

2021-07-20 (about 4 years ago)

Added

2021-07-20 (about 4 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2025-01-20

Title

WordPress RealHomes Theme < 4.3.7 - Privilege Escalation

Published

2025-06-09

Title

RH - Real Estate WordPress Theme < 4.4.1 - Authenticated (Subscriber+) Privilege Escalation

Published

2024-10-25

Title

Exam Matrix <= 1.5 - Unauthenticated Privilege Escalation

Published

2025-07-23

Title

Wholesale Suite < 2.2.5 - Authenticated (Shop Manager+) Privilege Escalation

Published

2025-04-30

Title

SureTriggers < 1.0.83 - Unauthenticated Privilege Escalation