CVE-2024-13835
Published: 08 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2024-13835 is a multisite privilege escalation vulnerability in the Post Meta Data Manager plugin for WordPress, affecting all versions up to and including 1.4.4. The issue arises because the plugin does not properly verify the existence of a multisite installation before allowing the addition or modification of user meta data. Published on 2025-03-08, it has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-269 (Improper Privilege Management).
Authenticated attackers with Administrator-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation enables them to gain elevated privileges on subsites that would otherwise be inaccessible to their role, potentially compromising confidentiality, integrity, and availability across the multisite network.
Mitigation guidance is available in advisories from references including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/568aa6d6-10a1-4653-ab95-845faf005b8e?source=cve and the plugin page at https://wordpress.org/plugins/post-meta-data-manager/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a privilege escalation flaw in a WordPress plugin that allows authenticated administrators to improperly add or modify user meta data in multisite environments, directly enabling T1068 Exploitation for Privilege Escalation to gain elevated access on subsites.