WPFront User Role Editor < 4.1.0 – Limited Information Exposure | CVE 2024-2931 | Plugin Vulnerabilities

Description

The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfront_user_role_editor_assign_roles_user_autocomplete AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract retrieve a list of all user email addresses who are registered on the site.

Affects Plugins

wpfront-user-role-editor

Fixed in 4.1.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/078a0647-fc3a-436c-bf00-8776b16e66ff

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

AmrAwad

Verified

No

WPVDB ID

8bb970f1-e1de-4e67-94d9-2bd38c249dda

Timeline

Publicly Published

2024-04-01 (about 2 years ago)

Added

2024-04-01 (about 2 years ago)

Last Updated

2024-04-01 (about 2 years ago)

Other

Published

Title

Published

2025-09-30

Title

File Manager, Code editor, backup by Managefy < 1.6.2 - Unauthenticated Information Exposure

Published

2023-07-17

Title

Royal Elementor Addons < 1.3.71 - Unauthenticated API Key Disclosure

Published

2025-03-28

Title

DAP to Autoresponders Email Syncing <= 1.0 - Unauthenticated Information Exposure

Published

2024-12-16

Title

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions < 241216 - Authenticated (Contributor+) Sensitive Information Exposure

Published

2025-12-05

Title

Portfolio and Projects < 1.5.6 - Authenticated (Contributor+) Information Exposure