PT-2024-22856 · WordPress · Wpfront User Role Editor

1337_Wannabe

Published

2024-04-02

Updated

2025-03-04

CVE-2024-2931

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions WPFront User Role Editor plugin for WordPress versions up to, and including, 3.2.1.11184

Description The issue allows authenticated attackers with subscriber-level access and above to extract a list of all user email addresses registered on the site. This is possible via the "wpfront user role editor assign roles user autocomplete" AJAX action.

Recommendations For versions up to, and including, 3.2.1.11184, consider disabling the wpfront user role editor assign roles user autocomplete AJAX action until a patch is available. Restrict access to this action to minimize the risk of exploitation. Avoid using the wpfront user role editor assign roles user autocomplete action in the affected plugin until the issue is resolved.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2024-2931

Affected Products

Wpfront User Role Editor

PT-2024-22856 · WordPress · Wpfront User Role Editor

CVE-2024-2931

Weakness Enumeration

Related Identifiers

Affected Products

References · 8