CVE-2024-10591

Name of the Vulnerable Software and Affected Versions MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics plugin for WordPress versions up to, and including, 1.5.9

Description The issue concerns unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hubwoo save updates() function. This allows authenticated attackers, with Contributor-level access and above, to update arbitrary options on the WordPress site, potentially updating the default role for registration to administrator and enabling user registration for attackers to gain administrative user access to a vulnerable site.

Recommendations For versions up to, and including, 1.5.9, update to a version higher than 1.5.9 to resolve the issue. As a temporary workaround, consider restricting access to the hubwoo save updates() function until a patch is available. Additionally, restrict user registration and ensure that only trusted users have Contributor-level access or above to minimize the risk of exploitation.