CVE-2024-4958

Name of the Vulnerable Software and Affected Versions User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin versions up to, and including, 3.2.0.1

Description The issue allows unauthorized modification of data due to a missing capability check on the import form action function. This enables authenticated attackers with contributor-level permissions and above to import a registration form with a default user role of administrator. If an administrator approves or publishes a post or page with the shortcode to the imported form, any user can register as an administrator.

Recommendations For versions up to, and including, 3.2.0.1, consider disabling the import form action function until a patch is available to prevent unauthorized data modification. Restrict access to the registration form import feature to minimize the risk of exploitation. Avoid using the default user role of administrator in imported registration forms until the issue is resolved.