CVE-2024-9518

Name of the Vulnerable Software and Affected Versions UserPlus plugin for WordPress versions up to, and including, 2.0

Description The issue is related to privilege escalation due to insufficient restriction on the form actions and userplus update user profile functions. This allows unauthenticated attackers to specify their user role by supplying the role parameter during registration.

Recommendations For versions up to, and including, 2.0, consider disabling the form actions and userplus update user profile functions until a patch is available. Restrict access to the registration process to minimize the risk of exploitation. Avoid using the role parameter in the affected registration endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.