CVE-2024-9520
MEDIUMUserPlus < 2.0 - Authenticated Missing Authorization in Admin AJAX Functions
Title source: llmDescription
The UserPlus plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.0. This makes it possible for authenticated attackers with subscriber-level permissions or above, to add, modify, or delete user meta and plugin options.
References (4)
Core 4
Core References
Product
https://plugins.trac.wordpress.org/browser/userplus/trunk/admin/admin-ajax.php?rev=1627771#L186
Product
https://plugins.trac.wordpress.org/browser/userplus/trunk/admin/admin-ajax.php?rev=1627771#L216
Scores
CVSS v3
6.3
EPSS
0.0032
EPSS Percentile
24.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (2)
userplus/User registration & user profile – UserPlus
< 2.0
wpuserplus/userplus
< 2.0
Published
Oct 10, 2024
Tracked Since
Feb 18, 2026