CVE-2021-24602

HIGH

Hmplugin HM Multiple Roles < 1.3 - Improper Privilege Management

Title source: rule

Description

The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page

References (2)

[Third Party Advisory] https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5

[Exploit, Third Party Advisory] https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpress-plugin/

Scores

CVSS v3 8.8

EPSS 0.0066

EPSS Percentile 71.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-669 CWE-269

Status published

Products (1)

hmplugin/hm_multiple_roles < 1.3

Published Aug 23, 2021

Tracked Since Feb 18, 2026