CVE-2024-9518 – The UserPlus WordPress plugin up to version 2.0... (How to Fix)

Q: What is the severity of CVE-2024-9518?

CVE-2024-9518 has a CVSS score of 9.8 (CRITICAL). The UserPlus WordPress plugin up to version 2.0 contains a privilege escalation vulnerability that allows unauthenticated attackers to assign themselves any user role during registration. This affects all WordPress sites running vulnerable versions of the UserPlus plugin, potentially compromising site security and administrative access.

📋 TL;DR

The UserPlus WordPress plugin up to version 2.0 contains a privilege escalation vulnerability that allows unauthenticated attackers to assign themselves any user role during registration. This affects all WordPress sites running vulnerable versions of the UserPlus plugin, potentially compromising site security and administrative access.

💻 Affected Systems

Products:

UserPlus WordPress Plugin

Versions: All versions up to and including 2.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when plugin is active and user registration is enabled.

📦 What is this software?

Userplus by Wpuserplus

View all CVEs affecting Userplus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative privileges, enabling complete site takeover, data theft, malware injection, and further network compromise.

🟠

Likely Case

Attackers create administrator accounts to deface websites, steal sensitive data, or install backdoors for persistent access.

🟢

If Mitigated

Attackers can only create low-privilege accounts, limiting damage to basic user functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/userplus/trunk/functions/user-functions.php?rev=1604604#L47

Restart Required: No

Instructions:

1. Update UserPlus plugin to version 2.1 or later via WordPress admin panel. 2. Verify update completes successfully. 3. Test user registration functionality.

🔧 Temporary Workarounds

Disable User Registration

all

Temporarily disable user registration in WordPress settings to prevent exploitation.

Deactivate Plugin

all

Deactivate UserPlus plugin until patched version is available.

🧯 If You Can't Patch

Implement web application firewall rules to block requests containing 'role' parameter in registration endpoints
Monitor user registration logs for suspicious role assignment attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > UserPlus version. If version is 2.0 or lower, system is vulnerable.

Check Version:

wp plugin list --name=userplus --field=version

Verify Fix Applied:

Confirm UserPlus plugin version is 2.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to registration endpoints with 'role' parameter
User creation events with non-default roles

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action=userplus_update_user_profile containing role parameter

SIEM Query:

source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "userplus") AND http_method="POST" AND (params CONTAINS "role=" OR params CONTAINS "form_actions=")

📊 Metadata

CVE ID: CVE-2024-9518

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: October 10, 2024

Last Updated: October 15, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9518, you might also want to check these: