Lucene search
WPScanCVELIST:CVE-2021-24649HistoryNov 21, 2022 - 12:00 a.m.
CVE-2021-24649 WP User Frontend < 3.5.29 - Obscure Registration as Admin
2022-11-2100:00:00
WPScan
www.cve.org
wordpress
user frontend
plugin
vulnerability
registration
admin
encryption
security issue
The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin
CNA Affected
[
{
"vendor": "Unknown",
"product": "WP User Frontend",
"collectionURL": "https://wordpress.org/plugins",
"versions": [
{
"status": "affected",
"versionType": "custom",
"version": "0",
"lessThan": "3.5.29"
}
],
"defaultStatus": "unaffected"
}
]Related
cve
cve
CVE-2021-24649
2022-11-21 11:15:12
wpvulndb
wpvulndb
WP User Frontend < 3.5.29 - Obscure Registration as Admin
2022-10-31 00:00:00
nvd
nvd
CVE-2021-24649
2022-11-21 11:15:12
patchstack
patchstack
cnvd
cnvd
WordPress WP User Frontend authorization issue vulnerability
2022-11-23 00:00:00
prion
prion
Design/Logic Flaw
2022-11-21 11:15:00
wpexploit
wpexploit
WP User Frontend < 3.5.29 - Obscure Registration as Admin
2022-10-31 00:00:00