CVE-2024-12296

Name of the Vulnerable Software and Affected Versions Apus Framework plugin for WordPress versions prior to 2.3

Description The issue allows authenticated attackers with Subscriber-level access and above to update arbitrary options on the WordPress site due to a missing capability check on the import page options function. This can be leveraged to update the default role for registration to administrator and enable user registration, allowing attackers to gain administrative user access to a vulnerable site.

Recommendations For versions prior to 2.3, update to a version that includes a fix for this issue to prevent unauthorized modification of data and privilege escalation. As a temporary workaround, consider restricting access to the import page options function until a patch is available.