CVE-2024-0324

2024-02-0522:15:59

CWE-862

[email protected]

web.nvd.nist.gov

cve-2024-0324

wordpress plugin

vulnerability

data modification

unauthorized access

2fa manipulation

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.1%

JSON

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wppb_two_factor_authentication_settings_update’ function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.

Affected configurations

Vulners

NVD

Node

reflectionmediauser_profile_builder_–_beautiful_user_registration_forms\,_user_profiles_\&_user_role_editorRange≤3.10.8

CPENameOperatorVersion
cozmoslabs:profile_buildercozmoslabs profile builderle3.10.8

CPE	Name	Operator	Version
cozmoslabs:profile_builder	cozmoslabs profile builder	le	3.10.8

CNA Affected

[
  {
    "vendor": "reflectionmedia",
    "product": "User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "3.10.8",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]