CVE-2024-8420

Critical

Published: 28 February 2025

Published

28 February 2025

Modified

06 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 49.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on sites.

Security Summary

CVE-2024-8420 is a privilege escalation vulnerability in the DHVC Form plugin for WordPress, affecting all versions up to and including 2.4.7. The flaw stems from the plugin permitting users to supply the 'role' field during registration, which allows attackers to self-assign elevated privileges.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation enables remote registration as a site administrator, granting full control over the WordPress installation and potentially leading to unauthorized access, data exfiltration, modification, or deletion (related to CWE-266 and CWE-269).

Advisories detailing mitigation are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d51a0c-c625-4732-b345-df02971fbffa?source=cve and the plugin page on CodeCanyon at https://codecanyon.net/item/dhvc-form-wordpress-form-for-visual-composer/8326593.

Details

CWE(s): CWE-266CWE-269

Affected Products

sitesao

dhvc form

≤ 2.4.8

References

https://codecanyon.net/item/dhvc-form-wordpress-form-for-visual-composer/8326593
Product · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d51a0c-c625-4732-b345-df02971fbffa?source=cve
Third Party Advisory · security@wordfence.com