CVE-2024-12821
📋 TL;DR
The Media Manager for UserPro WordPress plugin has an authorization vulnerability that allows authenticated users (even with Subscriber role) to modify WordPress site options. This can be exploited to change the default user registration role to Administrator and enable user registration, granting attackers full administrative access. All WordPress sites using this plugin up to version 3.12.0 are affected.
💻 Affected Systems
- Media Manager for UserPro WordPress plugin
📦 What is this software?
Media Manager by Userproplugin
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of the WordPress site, allowing them to install backdoors, modify content, steal data, or take the site offline.
Likely Case
Attackers create administrative accounts for themselves, gaining persistent access to compromise the site and potentially other systems in the environment.
If Mitigated
With proper access controls and monitoring, exploitation attempts are detected and blocked before privilege escalation occurs.
🎯 Exploit Status
Exploitation requires authenticated access but only at the lowest privilege level (Subscriber). The vulnerability is straightforward to exploit once an attacker has valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.12.1 or later
Vendor Advisory: https://codecanyon.net/item/media-manager-for-userpro/8664618
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Media Manager for UserPro'. 4. Click 'Update Now' if available, or manually update to version 3.12.1+. 5. Verify the plugin is active and functioning correctly.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Media Manager for UserPro plugin until it can be updated to a patched version.
wp plugin deactivate media-manager-for-userpro
Restrict user registration
allDisable user registration in WordPress settings to prevent attackers from creating new accounts even if they modify options.
🧯 If You Can't Patch
- Implement strong password policies and multi-factor authentication for all user accounts
- Monitor WordPress user activity logs for suspicious option modifications or role changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Media Manager for UserPro → View version details. If version is 3.12.0 or lower, the site is vulnerable.Check Version:
wp plugin get media-manager-for-userpro --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 3.12.1 or higher in the WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- WordPress option updates from non-admin users
- User role changes in WordPress logs
- New administrator account creation
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=upm_upload_media from non-admin users
SIEM Query:
source="wordpress" AND (event="option_update" OR event="user_role_change") AND user_role!="administrator"