CVE-2024-9863

{"id": "CVE-2024-9863", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2024-9863", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2024-10-17T15:23:48.056528Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security@wordfence.com", "affectedData": [{"vendor": "cyberlord92", "product": "Miniorange OTP Verification with Firebase", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.6.0"}], "defaultStatus": "unaffected"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "affectedData": [{"cpes": ["cpe:2.3:a:miniorange:otp_verification:*:*:*:*:*:*:*:*"], "vendor": "miniorange", "product": "otp_verification", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.6.0"}], "defaultStatus": "unaffected"}]}], "published": "2024-10-17T02:15:04.030", "references": [{"url": "https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-registrationform.php#L194", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file4", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f04eab14-dd86-4145-b5eb-20d064bc8417?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-266"}]}], "descriptions": [{"lang": "en", "value": "The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled."}, {"lang": "es", "value": "El complemento UserPro para WordPress es vulnerable a la escalada de privilegios en versiones hasta la 3.6.0 incluida debido al valor predeterminado inseguro \"administrador\" para la opci\u00f3n \"default_user_role\". Esto hace posible que atacantes no autenticados registren a un usuario administrador incluso si el formulario de registro est\u00e1 deshabilitado."}], "lastModified": "2026-06-17T08:25:24.313", "sourceIdentifier": "security@wordfence.com"}