CVE-2024-8246

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.11 - Authenticated (Contributor+) Privilege Escalation

Description

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8.11. This is due to plugin not properly restricting what users have access to set the default role on registration forms. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with a custom role that allows them to register as administrators.

References

Link	Tags
https://www.wordfence.com/threat-intel/vulnerabilities/id/40760f60-b81a-447b-a2c8-83c7666ce410?source=cve	third party advisory
https://plugins.trac.wordpress.org/changeset/3149760/buddyforms/trunk/includes/admin/form-builder/meta-boxes/metabox-registration.php	patch

Frequently Asked Questions

What is the severity of CVE-2024-8246?: CVE-2024-8246 has been scored as a high severity vulnerability.
How to fix CVE-2024-8246?: To fix CVE-2024-8246, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-8246 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-8246 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-8246?: CVE-2024-8246 affects svenl77 Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC).

Description

Category

CWE-269 – Improper Privilege Management

References

Frequently Asked Questions