CVE-2021-24602
📋 TL;DR
The HM Multiple Roles WordPress plugin before version 1.3 contains a privilege escalation vulnerability that allows authenticated users with any role (including subscribers) to grant themselves administrator privileges through their profile page. This affects all WordPress sites running the vulnerable plugin version. The vulnerability requires user authentication but no special permissions.
💻 Affected Systems
- HM Multiple Roles WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with any WordPress user account (including low-privilege accounts like subscribers) can elevate themselves to administrator, gaining full control over the WordPress site including content modification, plugin/theme installation, user management, and potential server access.
Likely Case
Malicious users or compromised low-privilege accounts escalate to administrator, enabling data theft, defacement, malware installation, or backdoor persistence.
If Mitigated
With proper access controls and monitoring, unauthorized privilege changes are detected and prevented before damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial to execute via web interface or API calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3
Vendor Advisory: https://wordpress.org/plugins/hm-multiple-roles/#developers
Restart Required: No
Instructions:
1. Update HM Multiple Roles plugin to version 1.3 or later via WordPress admin dashboard. 2. Alternatively, download version 1.3+ from WordPress.org and manually update via FTP/SFTP. 3. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate HM Multiple Roles plugin until patched
wp plugin deactivate hm-multiple-roles
Restrict user profile access
allUse WordPress role capabilities to limit who can edit user profiles
🧯 If You Can't Patch
- Remove all non-essential user accounts and audit existing accounts for suspicious activity
- Implement web application firewall rules to block privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins page for HM Multiple Roles version. If version is below 1.3, the site is vulnerable.Check Version:
wp plugin get hm-multiple-roles --field=versionVerify Fix Applied:
Confirm HM Multiple Roles plugin version is 1.3 or higher in WordPress admin dashboard.📡 Detection & Monitoring
Log Indicators:
- WordPress user role change events in wp-admin area
- Unexpected user_meta updates for 'wp_capabilities' field
- Multiple failed login attempts followed by successful login and role change
Network Indicators:
- POST requests to /wp-admin/profile.php or user update endpoints with role parameter modifications
SIEM Query:
source="wordpress" (event="profile_update" OR event="user_role_change") user_role="administrator"🔗 References
- https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpress-plugin/
- https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5
- https://jetpack.com/2021/08/05/privilege-escalation-in-hm-multiple-roles-wordpress-plugin/
- https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5
