Description

WordPress Plugin Login/Signup Popup (Inline Form + Woocommerce) is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently change arbitrary site options, which can be used to enable new user registration and set the default role for new users to Administrator. WordPress Plugin Login/Signup Popup (Inline Form + Woocommerce) versions 2.7.1 - 2.7.2 are vulnerable.

Remediation

Update to plugin version 2.7.3 or latest

References

https://www.wordfence.com/blog/2024/06/40000-wordpress-sites-affected-by-vulnerability-that-leads-to-privilege-escalation-in-login-signup-popup-wordpress-plugin/

https://plugins.svn.wordpress.org/easy-login-woocommerce/trunk/readme.txt

Related Vulnerabilities

WordPress Plugin WordPress Custom Settings Cross-Site Scripting (1.0)

WordPress Plugin Better Font Awesome Cross-Site Request Forgery (2.0.1)

Python Uncontrolled Resource Consumption Vulnerability (CVE-2021-3737)

MySQL CVE-2013-3812 Vulnerability (CVE-2013-3812)

Sqlite Improper Input Validation Vulnerability (CVE-2016-6153)

Severity

High

Classification

CVE-2024-5324 CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass