CVE-2024-8682 MEDIUM

CVE-2024-8682: JNews - WordPress Newspaper Magazine Blog AMP Theme <= 11.6.6 - Unauthorized User Registration

Vendor Https://Themeforest.net/Item/Jnews-One-Stop-Solution-For-Web-Publishing/20566392
Product JNews - WordPress Newspaper Magazine Blog AMP Theme
Weakness CWE-862 · Missing authorization
Published March 5, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The JNews - WordPress Newspaper Magazine Blog AMP Theme theme for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 11.6.6. This is due to the plugin not properly validate if the user can register option is enabled prior to creating a user though the register_handler() function. This makes it possible for unauthenticated attackers to register as a user even when user registration is disabled.

Key dates

02Disclosure timeline

March 5, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-31376 WordPress NanoSupport plugin <= 0.6.0 - Broken Access Control vulnerability CVE-2024-1733 Word Replacer Pro <= 1.0 - Missing Authorization to Unauthenticated Arbitrary Content Update CVE-2022-23944 Apache ShenYu 2.4.1 Improper access control CVE-2025-24591 WordPress GDPR CCPA Compliance & Cookie Consent Banner plugin <= 2.7.1 - Broken Access Control vulnerability CVE-2024-35716 WordPress Copymatic plugin <= 1.9 - Broken Access Control vulnerability