CVE-2024-10589

Name of the Vulnerable Software and Affected Versions Leopard - WordPress Offload Media plugin versions up to, and including, 3.1.1

Description The issue allows unauthorized modification of data, leading to privilege escalation due to a missing capability check on the import settings() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. The vulnerability can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Recommendations For versions up to, and including, 3.1.1, update to the latest version immediately to mitigate risks. As a temporary workaround, consider restricting access to the import settings() function until a patch is available. Avoid using the vulnerable function to update arbitrary options on the WordPress site until the issue is resolved.