CVE Published: 23/11/2024 |
CVE Updated: 23/11/2024 |
CVE Year: 2024 Source: Wordfence |
Vendor: wpusermanager |
Product: WP User Manager – User Profile Builder & Membership Status : PUBLISHED
CVE-2024-10537 Description
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validate_user_meta_key() function in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate user meta keys.
Metrics
CVSS Version: 3.1 |
Base Score: 4.3 MEDIUM Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N