CVE-2024-7291

The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as super-admins on the sites configured as multi-sites.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.3.4.1/includes/actions/methods/update-user/user-meta-property.php#L23
https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.3.4.1/includes/actions/types/register-user.php#L220
https://www.wordfence.com/threat-intel/vulnerabilities/id/0d8ea1c2-7c6e-43b3-97ca-a06438d51d11?source=cve

Configurations

No configuration.

History

No history.

Information

Published : 2024-08-03 07:16

Updated : 2024-08-05 12:41

NVD link : CVE-2024-7291

Mitre link : CVE-2024-7291

CVE.ORG link : CVE-2024-7291

JSON object : View

Products Affected

No product.

CWE

CWE-269

Improper Privilege Management

7.2 /10