CVE-2024-12822 CRITICAL

CVE-2024-12822: Media Manager for UserPro <= 3.12.0 - Missing Authorization to Unauthenticated Arbitrary Options Update

Vendor Deluxethemes
Product Media Manager for UserPro
Weakness CWE-862 · Missing authorization
Published January 30, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the add_capto_img() function in all versions up to, and including, 3.11.0. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Key dates

02Disclosure timeline

January 30, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-0486 Missing Authorization Check in ABAP based SAP systems CVE-2026-24619 WordPress PopCash.Net Code Integration Tool plugin <= 1.8 - Broken Access Control vulnerability CVE-2024-31230 WordPress ShortPixel Adaptive Images plugin <= 3.8.2 - Broken Access Control vulnerability CVE-2026-24604 WordPress Simple GDPR Cookie Compliance plugin <= 2.0.0 - Broken Access Control vulnerability CVE-2025-62892 WordPress Sunshine Photo Cart plugin <= 3.5.3 - Broken Access Control vulnerability