CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.23. This is due to the plugin allowing a user to update arbitrary user meta through the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Explanation of Vulnerability in Simple Terms
CubeWP Framework versions up to 1.1.23 contain a privilege management flaw that allows authenticated users with low-level access to gain unauthorized control over sensitive site functions. An attacker with a basic user account can read, modify, or delete critical data without proper authorization checks. This affects confidentiality, integrity, and availability of the site.
What an attacker can do
Read, modify, or delete sensitive site data and functions without proper authorization.
Potential impact on your site
Authenticated users can escalate privileges and compromise site data, settings, and availability.
Conditions required to exploit
Attacker must have a low-privilege user account on the site; no user interaction required.
Key dates
External resources
Related vulnerabilities
