Description

WordPress Plugin Login/Signup Popup (Inline Form + Woocommerce) is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently change arbitrary site options, which can be used to enable new user registration and set the default role for new users to Administrator. WordPress Plugin Login/Signup Popup (Inline Form + Woocommerce) versions 2.7.1 - 2.7.2 are vulnerable.

Remediation

Update to plugin version 2.7.3 or latest

References

https://www.wordfence.com/blog/2024/06/40000-wordpress-sites-affected-by-vulnerability-that-leads-to-privilege-escalation-in-login-signup-popup-wordpress-plugin/

https://plugins.svn.wordpress.org/easy-login-woocommerce/trunk/readme.txt

Related Vulnerabilities

MySQL CVE-2020-14623 Vulnerability (CVE-2020-14623)

PHP Integer Overflow or Wraparound Vulnerability (CVE-2016-6207)

WordPress Plugin NextGEN Gallery-WordPress Gallery Privilege Escalation (3.2.2)

Oracle HTTP Server Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2021-4184)

WordPress Plugin Contact Form by Supsystic Multiple Vulnerabilities (1.7.5)

Severity

High

Classification

CVE-2024-5324 CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass