CVE-2024-11443

Name of the Vulnerable Software and Affected Versions de:branding plugin for WordPress versions up to and including 1.0.2

Description The issue allows unauthorized modification of data, potentially leading to privilege escalation due to a missing capability check on the debranding save() function. This enables authenticated attackers with subscriber-level access and above to update arbitrary options on the WordPress site, which can be leveraged to update the default role for registration to administrator and enable user registration, allowing attackers to gain administrative user access to a vulnerable site.

Recommendations For versions up to and including 1.0.2, update to a version higher than 1.0.2 to resolve the issue. As a temporary workaround, consider disabling the debranding save() function until a patch is available. Restrict access to the de:branding plugin to minimize the risk of exploitation.