The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and installed.
CVE-2024-28000 makes it possible for an unauthenticated attacker to spoof their user ID and register as an administrative-level user, effectively granting them privileges to take over a vulnerable WordPress site.
This is due to the plugin not properly restricting the role simulation functionality allowing a user to set their current ID to that of an administrator, if they have access to a valid hash which can be found in the debug logs or through brute force.
The random number generator is not cryptographically secure and the generated hash is neither salted nor tied to a particular request or a user.
Collection
[
|
...
]