Vulnerability Description
The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page
CVSS Score
8.8
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hmplugin | Hm Multiple Roles | < 1.3 |
Related Weaknesses (CWE)
References
- https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpreExploitThird Party Advisory
- https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5Third Party Advisory
- https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpreExploitThird Party Advisory
- https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5Third Party Advisory
FAQ
What is CVE-2021-24602?
CVE-2021-24602 is a vulnerability with a CVSS score of 8.8 (HIGH). The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page
How severe is CVE-2021-24602?
CVE-2021-24602 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24602?
Check the references section above for vendor advisories and patch information. Affected products include: Hmplugin Hm Multiple Roles.