CVE-2014-9013

Name of the Vulnerable Software and Affected Versions WP Marketplace plugin version 2.4.0

Description The issue allows remote authenticated users to create arbitrary users and gain admin privileges. This is achieved through the ajaxinit function in wpmarketplace/libs/cart.php by sending a request to "wpmp pp ajax call" with an execution target of wp insert user.

Recommendations For WP Marketplace plugin version 2.4.0, consider disabling the ajaxinit function in wpmarketplace/libs/cart.php as a temporary workaround until a patch is available. Restrict access to the "wpmp pp ajax call" endpoint to minimize the risk of exploitation. Avoid using the wp insert user execution target in the affected endpoint until the issue is resolved.