WHMPress – WHMCS Client Area <= 4.3-revision-3- Authenticated (Subscriber+) Arbitrary Options Update | CVE 2024-9195 | Plugin Vulnerabilities

Description

The WHMPress - WHMCS Client Area plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the update_settings case in the /admin/ajax.php file in all versions up to, and including, 4.3-revision-3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affects Plugins

WHMpress_Client_Area_Api

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c8af0c5c-3d7b-416d-9d10-6867fcf909a5

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Tonn

Verified

No

WPVDB ID

f19a21de-6785-49c6-91e5-d6e86ddd39e6

Timeline

Publicly Published

2025-02-27 (about 1 year ago)

Added

2025-02-27 (about 1 year ago)

Last Updated

2025-02-28 (about 1 year ago)

Other

Published

Title

Published

2026-03-04

Title

WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation < 1.4.25 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

Published

2025-12-05

Title

Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters <= 1.0.2 - Authenticated (Subscriber+) Missing Authorization to Modify Accessibility Settings

Published

2023-07-17

Title

ProfileGrid < 5.5.2 - Subscriber+ Unauthorized Data Modification

Published

2026-02-11

Title

Biolife <= 3.2.3 - Missing Authorization

Published

2025-08-14

Title

WP Statistics < 14.15.2 - Missing Authorization