Description

WordPress Plugin Login/Signup Popup (Inline Form + Woocommerce) is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently change arbitrary site options, which can be used to enable new user registration and set the default role for new users to Administrator. WordPress Plugin Login/Signup Popup (Inline Form + Woocommerce) versions 2.7.1 - 2.7.2 are vulnerable.

Remediation

Update to plugin version 2.7.3 or latest

References

https://www.wordfence.com/blog/2024/06/40000-wordpress-sites-affected-by-vulnerability-that-leads-to-privilege-escalation-in-login-signup-popup-wordpress-plugin/

https://plugins.svn.wordpress.org/easy-login-woocommerce/trunk/readme.txt

Related Vulnerabilities

WordPress Plugin iThemes Security (formerly Better WP Security) SQL Injection (7.0.2)

MediaWiki CVE-2023-37303 Vulnerability (CVE-2023-37303)

WordPress Plugin Portfolio by BestWebSoft Multiple Cross-Site Scripting Vulnerabilities (2.27)

WordPress Plugin Donation Thermometer Cross-Site Scripting (2.1.2)

WordPress Plugin Download Manager Multiple Cross-Site Scripting Vulnerabilities (3.2.48)

Severity

High

Classification

CVE-2024-5324 CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass