CVE-2024-10216
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to add or remove custom sidebars when the Carbon Fields plugin is installed. It affects all versions of the WP User Manager plugin up to and including 2.9.11. Attackers can modify sidebar configurations without proper authorization.
💻 Affected Systems
- WP User Manager – User Profile Builder & Membership
📦 What is this software?
Wp User Manager by Wpusermanager
⚠️ Risk & Real-World Impact
Worst Case
An attacker could manipulate sidebar configurations to inject malicious content, redirect users to phishing sites, or disrupt website functionality by removing critical sidebars.
Likely Case
Attackers modify sidebar widgets to display spam content, advertisements, or misleading information on user profiles and membership pages.
If Mitigated
With proper user role management and monitoring, impact is limited to sidebar configuration changes that can be audited and reverted.
🎯 Exploit Status
Exploitation requires authenticated access with at least Subscriber privileges. Attack involves calling vulnerable functions directly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.12
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3194404/wp-user-manager/trunk/includes/class-wp-user-manager.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP User Manager plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.9.12+ from WordPress repository and replace existing files.
🔧 Temporary Workarounds
Disable Carbon Fields Plugin
allTemporarily deactivate Carbon Fields plugin to remove attack surface while maintaining WP User Manager functionality.
wp plugin deactivate carbon-fields
Restrict User Registration
allDisable new user registrations or require administrator approval to limit potential attackers.
wp option update users_can_register 0
🧯 If You Can't Patch
- Remove Subscriber and higher role permissions to modify sidebars using role management plugins.
- Implement web application firewall rules to block requests to vulnerable sidebar management endpoints.
🔍 How to Verify
Check if Vulnerable:
Check WP User Manager plugin version in WordPress admin under Plugins → Installed Plugins. If version is 2.9.11 or lower and Carbon Fields is active, system is vulnerable.Check Version:
wp plugin get wp-user-manager --field=versionVerify Fix Applied:
Confirm WP User Manager plugin version is 2.9.12 or higher in WordPress admin panel. Verify Carbon Fields plugin functionality remains intact.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action parameters containing 'add_sidebar' or 'remove_sidebar'
- Multiple sidebar modification attempts from single user accounts
Network Indicators:
- HTTP requests with action=add_sidebar or action=remove_sidebar parameters from non-admin user IPs
SIEM Query:
source="wordpress.log" AND ("add_sidebar" OR "remove_sidebar") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/vendor-dist/htmlburger/carbon-fields/core/Libraries/Sidebar_Manager/Sidebar_Manager.php#L102
- https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/vendor-dist/htmlburger/carbon-fields/core/Libraries/Sidebar_Manager/Sidebar_Manager.php#L79
- https://plugins.trac.wordpress.org/changeset/3194404/wp-user-manager/trunk/includes/class-wp-user-manager.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3ab4e9c6-68b0-4113-bff0-c1d3c2d3dea4?source=cve
