CVE-2024-12821

Name of the Vulnerable Software and Affected Versions Media Manager for UserPro plugin for WordPress versions up to, and including, 3.12.0

Description The issue allows authenticated attackers with Subscriber-level access and above to update arbitrary options on the WordPress site due to a missing capability check on the upm upload media() function. This can be leveraged to update the default role for registration to administrator and enable user registration, allowing attackers to gain administrative user access to a vulnerable site.

Recommendations For versions up to, and including, 3.12.0, update to a version that includes a fix for the missing capability check in the upm upload media() function to prevent unauthorized modification of data and privilege escalation. As a temporary workaround, consider restricting access to the upm upload media() function until a patch is available.