Build App Online <= 1.0.19 - Subscriber+ Privilege Escalation

2024-01-0500:00:00

wpscan.com

plugin

authorization

update

user

metadata

administrator

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Description The plugin does not have authorisation in its update_user_meta_value function, allowing any authenticated users, such as subscriber to update arbitrary user metadata and grand themselves administrator privileges

References

patchstack.com/database/vulnerability/build-app-online/wordpress-build-app-online-plugin-1-0-19-authenticated-privilege-escalation-vulnerability