CVE-2024-8246

Name of the Vulnerable Software and Affected Versions: The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress versions up to, and including, 2.8.11

Description: The vulnerability is due to the plugin not properly restricting what users have access to set the default role on registration forms. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with a custom role that allows them to register as administrators.

Recommendations: For versions up to, and including, 2.8.11, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the registration form creation feature to prevent authenticated attackers from creating custom roles. Additionally, restrict the ability to set default roles on registration forms to only trusted users.