CVE-2024-12129

Name of the Vulnerable Software and Affected Versions Royal Core plugin for WordPress versions up to, and including, 2.9.2

Description The issue allows authenticated attackers with Subscriber-level access and above to update arbitrary options on the WordPress site due to a missing capability check on the royal restore backup function. This can be leveraged to update the default role for registration to administrator and enable user registration, allowing attackers to gain administrative user access to a vulnerable site.

Recommendations For Royal Core plugin for WordPress versions up to, and including, 2.9.2, update to a version that includes a fix for the missing capability check on the royal restore backup function. As a temporary workaround, consider restricting access to the royal restore backup function to prevent unauthorized data modification. Additionally, restrict user registration and default role settings to prevent attackers from gaining administrative access.