The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'import_page_options' function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Metrics
Affected Vendors & Products
References
History
Thu, 20 Feb 2025 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apusthemes
Apusthemes superio |
|
CPEs | cpe:2.3:a:apusthemes:superio:*:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Apusthemes
Apusthemes superio |
Wed, 12 Feb 2025 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 12 Feb 2025 09:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'import_page_options' function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |
Title | Apus Framework <= 2.3 - Authenticated (Subscriber+) Arbitrary Options Update in import_page_options | |
Weaknesses | CWE-862 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2025-02-12T16:07:44.680Z
Reserved: 2024-12-06T03:20:45.650Z
Link: CVE-2024-12296

Updated: 2025-02-12T14:57:03.512Z

Status : Analyzed
Published: 2025-02-12T10:15:10.230
Modified: 2025-02-20T16:09:14.287
Link: CVE-2024-12296

No data.