CVE-2024-0324

Name of the Vulnerable Software and Affected Versions The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress versions up to, and including, 3.10.8

Description The issue is related to a missing capability check on the wppb two factor authentication settings update function, allowing unauthorized modification of data. This enables unauthenticated attackers to enable or disable the 2FA functionality for arbitrary user roles in the Premium version of the plugin.

Recommendations For versions up to, and including, 3.10.8, update to a version later than 3.10.8 to resolve the issue. As a temporary workaround, consider disabling the wppb two factor authentication settings update function until a patch is available.