CVE-2024-7291

CVSS V2 None CVSS V3 None

Description

The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as super-admins on the sites configured as multi-sites.

Overview

CVE ID
CVE-2024-7291

Assigner
Wordfence

Vulnerability Status
PUBLISHED

Published Version
2024-08-03T06:41:39.862Z

Last Modified Date
2024-08-03T06:41:39.862Z

Weakness Enumerations

CWE	URL
CWE-269	http://cwe.mitre.org/data/definitions/269.html

References

Reference URL	Reference Tags
https://www.wordfence.com/threat-intel/vulnerabilities/id/0d8ea1c2-7c6e-43b3-97ca-a06438d51d11?source=cve
https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.3.4.1/includes/actions/types/register-user.php#L220
https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.3.4.1/includes/actions/methods/update-user/user-meta-property.php#L23

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-7291
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7291

History

Created	Old Value	New Value	Data Type	Notes
2024-08-04 13:02:37				Added to TrackCVE