The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the MJ_gmgt_add_staff_member() function in all versions up to, and including, 67.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to create new user accounts with the administrator role.
Metrics
Affected Vendors & Products
References
History
Tue, 26 Nov 2024 20:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Mojoomla
Mojoomla wordpress Gym Management System |
|
Weaknesses | CWE-862 | |
CPEs | cpe:2.3:a:mojoomla:wordpress_gym_management_system:*:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Mojoomla
Mojoomla wordpress Gym Management System |
Sun, 24 Nov 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Dasinfomedia
Dasinfomedia wpgym Gym Management System |
|
CPEs | cpe:2.3:a:dasinfomedia:wpgym_gym_management_system:-:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Dasinfomedia
Dasinfomedia wpgym Gym Management System |
|
Metrics |
ssvc
|
Sat, 23 Nov 2024 07:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the MJ_gmgt_add_staff_member() function in all versions up to, and including, 67.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to create new user accounts with the administrator role. | |
Title | WPGYM <= 67.1.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation | |
Weaknesses | CWE-269 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-11-23T07:38:07.184Z
Updated: 2024-11-24T18:28:30.187Z
Reserved: 2024-10-14T16:13:58.081Z
Link: CVE-2024-9941
Vulnrichment
Updated: 2024-11-24T18:28:26.259Z
NVD
Status : Analyzed
Published: 2024-11-23T08:15:04.197
Modified: 2024-11-26T19:37:15.283
Link: CVE-2024-9941
Redhat
No data.