CVE-2024-8420

CRITICAL EXPLOITED

DHVC Form <2.4.7 - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2024-8420 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on sites.

References (2)

Core 2

Core References

Product

https://codecanyon.net/item/dhvc-form-wordpress-form-for-visual-composer/8326593

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d51a0c-c625-4732-b345-df02971fbffa?source=cve

Scores

CVSS v3 9.8

EPSS 0.0050

EPSS Percentile 39.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-05-04

CWE

CWE-266 CWE-269

Status published

Products (2)

SiteSao/DHVC Form < 2.4.7

sitesao/dhvc_form < 2.4.8

Published Feb 28, 2025

Tracked Since Feb 18, 2026