CVE-2024-4958
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/06/2024
Last modified:
15/04/2026
Description
The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_form_action' function in versions up to, and including, 3.2.0.1. This makes it possible for authenticated attackers, with contributor-level permissions and above, to import a registration form with a default user role of administrator. If an administrator approves or publishes a post or page with the shortcode to the imported form, any user can register as an administrator.
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/changeset/3095484/user-registration/tags/3.2.1/includes/class-ur-ajax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/710574a8-a6e2-4ee6-9ea7-03a34994fec7?source=cve
- https://plugins.trac.wordpress.org/changeset/3095484/user-registration/tags/3.2.1/includes/class-ur-ajax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/710574a8-a6e2-4ee6-9ea7-03a34994fec7?source=cve