CVE-2024-11951
Published: 05 March 2025
Description
Adversaries may create a local account to maintain access to victim systems.
Security Summary
CVE-2024-11951 is a privilege escalation vulnerability in the Homey Login Register plugin for WordPress, affecting all versions up to and including 2.4.0. The issue stems from the plugin allowing users registering new accounts to set their own role, enabling unauthenticated attackers to create accounts with elevated privileges such as administrator.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required, simply by registering a new account and specifying the administrator role. Successful exploitation grants full administrative access to the WordPress site, leading to high impacts on confidentiality, integrity, and availability, as indicated by the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-269 (Improper Privilege Management).
Advisories and additional details are provided by Wordfence in their threat intelligence report and on the Homey Booking WordPress Theme page on ThemeForest.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote unauthenticated exploit in a public-facing WordPress plugin that allows creation of an administrator account, directly enabling T1190 (Exploit Public-Facing Application) for initial access, T1068 (Exploitation for Privilege Escalation) to gain admin rights, and T1136.001 (Create Account: Local Account) via the abused registration mechanism.