Cyber Resilience

CVE-2024-12821

High

Published: 30 January 2025

Published
30 January 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12821 is a high-severity Missing Authorization (CWE-862) vulnerability in Userproplugin Media Manager. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-12821 affects the Media Manager for UserPro plugin for WordPress in all versions up to and including 3.12.0. The vulnerability arises from a missing capability check on the upm_upload_media() function, enabling unauthorized modification of data that leads to privilege escalation. It is classified under CWE-862 (Missing Authorization) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for high impact across confidentiality, integrity, and availability.

Authenticated attackers with Subscriber-level access or higher can exploit this issue over the network without user interaction. By calling the vulnerable function, they can update arbitrary WordPress site options, such as modifying the default role for new user registrations to administrator and enabling registration. This allows attackers to self-register with administrative privileges, achieving full site compromise.

Advisories from Wordfence provide detailed threat intelligence on the vulnerability, while the plugin's CodeCanyon page offers additional context on the affected component. Security practitioners should consult these references for mitigation guidance, including potential patches beyond version 3.12.0, and audit sites using the plugin for unauthorized option changes.

EU & UK References

Vulnerability details

The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the upm_upload_media() function in all versions up to, and including, 3.12.0. This…

more

makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Missing authorization on option update enables authenticated priv esc to admin and arbitrary account creation via role modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-12822Same product: Userproplugin Media Manager
CVE-2025-5483Shared CWE-862
CVE-2026-1937Shared CWE-862
CVE-2026-2992Shared CWE-862
CVE-2023-53923Shared CWE-862
CVE-2025-26375Shared CWE-862
CVE-2025-8059Shared CWE-862
CVE-2026-8547Shared CWE-862
CVE-2026-22172Shared CWE-862
CVE-2025-48574Shared CWE-862

Affected Assets

userproplugin
media manager
≤ 3.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent low-privilege authenticated users from modifying arbitrary WordPress options due to the missing capability check.

prevent

Limits privileges to the minimum necessary, reducing the potential for privilege escalation even if initial access is gained by subscribers.

prevent

Requires identification, reporting, and correction of flaws like the missing authorization in the plugin, preventing exploitation through timely patching.

References