{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-24649", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "dateUpdated": "2022-11-29T13:35:02.728Z", "dateReserved": "2021-01-14T00:00:00", "datePublished": "2022-11-21T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2022-11-29T13:35:02.728Z"}, "title": "WP User Frontend < 3.5.29 - Obscure Registration as Admin", "problemTypes": [{"descriptions": [{"description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "WP User Frontend", "collectionURL": "https://wordpress.org/plugins", "versions": [{"status": "affected", "versionType": "custom", "version": "0", "lessThan": "3.5.29"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin"}], "references": [{"url": "https://wpscan.com/vulnerability/9486744e-ab24-44e4-b06e-9e0b4be132e2", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "AyeCode Ltd", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wedevs:wp_user_frontend:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "73643FFA-5198-4005-BD70-D1CD7234CD7F", "versionEndExcluding": "3.5.29", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin"}, {"lang": "es", "value": "El complemento de WordPress WP User Frontend anterior a 3.5.29 utiliza un argumento proporcionado por el usuario llamado urhidden en su formulario de registro, que contiene la funci\u00f3n para la cuenta que se crear\u00e1, cifrada mediante wpuf_encryption(). Esto podr\u00eda permitir que un atacante que tenga acceso a las constantes AUTH_KEY y AUTH_SALT (a trav\u00e9s de un problema de acceso a archivos arbitrarios, por ejemplo, o si el blog usa las claves predeterminadas) cree una cuenta con cualquier rol que desee, como administrador."}], "id": "CVE-2021-24649", "lastModified": "2023-11-07T03:31:18.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-21T11:15:12.507", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/9486744e-ab24-44e4-b06e-9e0b4be132e2"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified"}

{}