CVE-2024-9195

CVE-2024-9195 is a privilege escalation vulnerability in the WHMPress - WHMCS Client Area plugin for WordPress, stemming from a missing capability check in the update_settings case of the /admin/ajax.php file. This flaw affects all versions up to and including 4.3-revision-3, allowing unauthorized modification of WordPress site options. Classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it enables attackers to alter core site configurations without proper permissions.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending crafted requests to the affected endpoint, they can update arbitrary WordPress options, such as changing the default user role for new registrations to administrator and enabling user registration. This allows attackers to self-register with administrative privileges, potentially leading to full site compromise including data exfiltration, further malware deployment, or complete control over the WordPress instance.

Advisories from Wordfence detail the vulnerability and recommend updating to a patched version beyond 4.3-revision-3, as referenced in their threat intelligence report. The plugin's Codecanyon page provides additional context on the WHMPress addon. Security practitioners should scan environments for the vulnerable plugin versions, enforce least-privilege access for subscribers, and monitor for suspicious option updates in the WordPress database.