Cyber Posture

CVE-2024-12821

High

Published: 30 January 2025

Published
30 January 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 24.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12821 is a high-severity Missing Authorization (CWE-862) vulnerability in Userproplugin Media Manager. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to prevent low-privilege authenticated users from modifying arbitrary WordPress options due to the missing capability check.

AC-6 Least Privilege partial match
prevent

Limits privileges to the minimum necessary, reducing the potential for privilege escalation even if initial access is gained by subscribers.

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of flaws like the missing authorization in the plugin, preventing exploitation through timely patching.

NVD Description

The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the upm_upload_media() function in all versions up to, and including, 3.12.0. This…

more

makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Deeper analysisAI

CVE-2024-12821 affects the Media Manager for UserPro plugin for WordPress in all versions up to and including 3.12.0. The vulnerability arises from a missing capability check on the upm_upload_media() function, enabling unauthorized modification of data that leads to privilege escalation. It is classified under CWE-862 (Missing Authorization) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for high impact across confidentiality, integrity, and availability.

Authenticated attackers with Subscriber-level access or higher can exploit this issue over the network without user interaction. By calling the vulnerable function, they can update arbitrary WordPress site options, such as modifying the default role for new user registrations to administrator and enabling registration. This allows attackers to self-register with administrative privileges, achieving full site compromise.

Advisories from Wordfence provide detailed threat intelligence on the vulnerability, while the plugin's CodeCanyon page offers additional context on the affected component. Security practitioners should consult these references for mitigation guidance, including potential patches beyond version 3.12.0, and audit sites using the plugin for unauthorized option changes.

Details

CWE(s)
CWE-862

Affected Products

userproplugin
media manager
≤ 3.12.0

CVEs Like This One

CVE-2024-12822Same product: Userproplugin Media Manager
CVE-2024-12365Shared CWE-862
CVE-2025-67974Shared CWE-862
CVE-2025-65669Shared CWE-862
CVE-2026-28254Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2025-69297Shared CWE-862
CVE-2025-69186Shared CWE-862
CVE-2026-25456Shared CWE-862

References