CVE-2024-56280

High

Published: 07 January 2025

Published

07 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 48.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect Privilege Assignment vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Privilege Escalation.This issue affects WPGuppy: from n/a through <= 1.1.0.

Security Summary

CVE-2024-56280 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the WPGuppy lite WordPress plugin from AmentoTech Private Limited. The flaw enables privilege escalation and affects all versions of WPGuppy from n/a through 1.1.0.

With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited by an authenticated attacker possessing low privileges over the network. Exploitation requires low complexity and no user interaction, allowing the attacker to escalate privileges and achieve high impacts on confidentiality, integrity, and availability.

Mitigation details are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpguppy-lite/vulnerability/wordpress-wpguppy-plugin-1-1-0-privilege-escalation-vulnerability?_s_id=cve.

Details

CWE(s): CWE-266

References

https://patchstack.com/database/Wordpress/Plugin/wpguppy-lite/vulnerability/wordpress-wpguppy-plugin-1-1-0-privilege-escalation-vulnerability?_s_id=cve
audit@patchstack.com