Cyber Resilience

CVE-2024-13835

High

Published: 08 March 2025

Published
08 March 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13835 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wpexpertplugins Post Meta Data Manager. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13835 is a multisite privilege escalation vulnerability in the Post Meta Data Manager plugin for WordPress, affecting all versions up to and including 1.4.4. The issue arises because the plugin does not properly verify the existence of a multisite installation before allowing the addition or modification of user meta data. Published on 2025-03-08, it has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-269 (Improper Privilege Management).

Authenticated attackers with Administrator-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation enables them to gain elevated privileges on subsites that would otherwise be inaccessible to their role, potentially compromising confidentiality, integrity, and availability across the multisite network.

Mitigation guidance is available in advisories from references including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/568aa6d6-10a1-4653-ab95-845faf005b8e?source=cve and the plugin page at https://wordpress.org/plugins/post-meta-data-manager/.

EU & UK References

Vulnerability details

The Post Meta Data Manager plugin for WordPress is vulnerable to multisite privilege escalation in all versions up to, and including, 1.4.4. This is due to the plugin not properly verifying the existence of a multisite installation prior to allowing…

more

user meta to be added/modified. This makes it possible for authenticated attackers, with Administrator-level access and above, to gain elevated privileges on subsites that would otherwise be inaccessible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a privilege escalation flaw in a WordPress plugin that allows authenticated administrators to improperly add or modify user meta data in multisite environments, directly enabling T1068 Exploitation for Privilege Escalation to gain elevated access on subsites.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2025-66374Shared CWE-269
CVE-2026-28995Shared CWE-269
CVE-2025-43199Shared CWE-269
CVE-2025-36640Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2024-47770Shared CWE-269
CVE-2025-24254Shared CWE-269
CVE-2025-27639Shared CWE-269

Affected Assets

wpexpertplugins
post meta data manager
≤ 1.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the plugin's improper multisite verification by requiring timely patching to prevent privilege escalation.

prevent

Least privilege enforcement limits the privileges available for escalation on subsites, countering the improper privilege management flaw.

prevent

Access enforcement mechanisms ensure proper verification of multisite context before allowing user meta modifications, mitigating the plugin's authorization bypass.

References