CVE-2024-12822
📋 TL;DR
The Media Manager for UserPro WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to modify WordPress site options. This can be exploited to change the default user registration role to administrator and enable user registration, granting attackers full administrative access. All WordPress sites using this plugin up to version 3.11.0 are affected.
💻 Affected Systems
- Media Manager for UserPro WordPress Plugin
📦 What is this software?
Media Manager by Userproplugin
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover with administrative privileges, allowing data theft, defacement, malware injection, and further network compromise.
Likely Case
Attackers create administrator accounts and gain full control over the WordPress site, potentially leading to data breaches and business disruption.
If Mitigated
Limited impact if plugin is disabled or removed, though other vulnerabilities may still exist in the WordPress installation.
🎯 Exploit Status
Exploitation requires sending a crafted HTTP request to the vulnerable endpoint. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.11.1 or later
Vendor Advisory: https://codecanyon.net/item/media-manager-for-userpro/8664618
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Media Manager for UserPro'. 4. Click 'Update Now' if available. 5. If no update is available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable Plugin
allDeactivate the Media Manager for UserPro plugin to prevent exploitation.
wp plugin deactivate media-manager-for-userpro
Block Vulnerable Endpoint
linuxUse web application firewall or .htaccess to block access to the vulnerable function.
RewriteEngine On
RewriteRule ^wp-content/plugins/media-manager-for-userpro/.*\.php$ - [F,L]
🧯 If You Can't Patch
- Immediately deactivate and remove the Media Manager for UserPro plugin from all WordPress installations.
- Implement strict network access controls and web application firewall rules to block exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Media Manager for UserPro' version 3.11.0 or earlier.Check Version:
wp plugin get media-manager-for-userpro --field=versionVerify Fix Applied:
Verify plugin version is 3.11.1 or later, or confirm plugin is not installed/active.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-content/plugins/media-manager-for-userpro/... with action=add_capto_img
- Unusual user registration events with administrator role
- wp_options table modifications from unauthenticated users
Network Indicators:
- HTTP requests containing 'add_capto_img' parameter
- Unusual traffic to plugin-specific endpoints from external IPs
SIEM Query:
source="web_logs" AND (uri_path="/wp-content/plugins/media-manager-for-userpro/" AND method="POST" AND params="*add_capto_img*")