WPFront User Role Editor <= 3.2.1.11184 - Limited Information Exposure

4.3
Exposure of Sensitive Information to an Unauthorized Actor
CVE CVE-2024-2931
CVSS 4.3 (Medium)
Publicly Published April 1, 2024
Last Updated April 2, 2024
Researcher 1337_Wannabe - home

Description

The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfront_user_role_editor_assign_roles_user_autocomplete AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract retrieve a list of all user email addresses who are registered on the site.

References

Share

Vulnerability Details for WPFront User Role Editor

Software Type Plugin
Software Slug wpfront-user-role-editor (view on wordpress.org)
Patched? Yes
Remediation Update to version 4.1.0, or a newer patched version
Affected Version
  • <= 3.2.1.11184
Patched Version
  • 4.1.0

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation