JetFormBuilder < 3.3.4.2 – Authenticated (Administrator+) Privilege Escalation | CVE 2024-7291 | Plugin Vulnerabilities

Description

The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as super-admins on the sites configured as multi-sites.

Affects Plugins

Fixed in 3.3.4.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0d8ea1c2-7c6e-43b3-97ca-a06438d51d11

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

61ee3718-1cc7-43ab-85bd-febeff6e6d5e

Timeline

Publicly Published

2024-08-02 (about 1 year ago)

Added

2024-08-02 (about 1 year ago)

Last Updated

2024-08-06 (about 1 year ago)

Other

Published

Title

Published

2025-02-26

Title

Templines Elementor Helper Core < 2.8 - Authenticated (Subscriber+) Privilege Escalation

Published

2025-07-28

Title

Custom API for WP < 4.2.3 - Subscriber+ Privilege Escalation

Published

2020-03-16

Title

LearnPress < 3.2.6.7 - Privilege Escalation

Published

2023-12-26

Title

ARMember < 4.0.11 - Subscriber+ Privilege Escalation

Published

2025-02-24

Title

Private Content <= 8.11.5 - Unauthenticated Privilege Escalation via Account Takeover