CVE-2024-9215

Name of the Vulnerable Software and Affected Versions PublishPress Authors plugin for WordPress versions up to, and including, 4.7.1

Description The issue is related to Insecure Direct Object Reference, which can lead to Privilege Escalation and Account Takeover. This is due to missing validation on the authors-user id user-controlled key in the action edited author() function. Authenticated attackers with Author-level access and above can update arbitrary user accounts' email addresses, including administrators, and then reset the user's account password to gain access.

Recommendations For versions up to, and including, 4.7.1, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the action edited author() function until a patch is available. Additionally, restrict the use of the authors-user id key to minimize the risk of exploitation.