WordPress Plugin Vulnerabilities

Accessibility by AllAccessible < 1.3.5 - Subscriber+ Privilege Escalation

Description

The plugin is vulnerable to Privilege Escalation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

Affects Plugins

Plugin icon
allaccessible
Fixed in 1.3.5

References

CVE
CVE-2024-49644
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0ede0053-f885-40b3-a539-edf8df5f12bf

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
815e3138-e938-42a1-961f-8edecb918914

Timeline

Publicly Published
2025-01-03 (about 1 year ago)
Added
2025-01-13 (about 1 year ago)
Last Updated
2025-01-13 (about 1 year ago)

Other

Published
Title
Published
2024-11-22
Title
WPGYM < 67.2.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Published
2019-08-03
Title
ND Donations < 1.4 - Unauthenticated Options Change
Published
2022-02-01
Title
MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation
Published
2022-12-27
Title
Login as User or Customer < 3.3 - Unauthenticated Privilege Escalation to Admin
Published
2021-07-26
Title
Advanced Shipment Tracking for WooCommerce < 3.2.7 - Authenticated Options Change