CVE-2024-13835
Published: 08 March 2025
Summary
CVE-2024-13835 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wpexpertplugins Post Meta Data Manager. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13835 is a multisite privilege escalation vulnerability in the Post Meta Data Manager plugin for WordPress, affecting all versions up to and including 1.4.4. The issue arises because the plugin does not properly verify the existence of a multisite installation before allowing the addition or modification of user meta data. Published on 2025-03-08, it has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-269 (Improper Privilege Management).
Authenticated attackers with Administrator-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation enables them to gain elevated privileges on subsites that would otherwise be inaccessible to their role, potentially compromising confidentiality, integrity, and availability across the multisite network.
Mitigation guidance is available in advisories from references including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/568aa6d6-10a1-4653-ab95-845faf005b8e?source=cve and the plugin page at https://wordpress.org/plugins/post-meta-data-manager/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54181
Vulnerability details
The Post Meta Data Manager plugin for WordPress is vulnerable to multisite privilege escalation in all versions up to, and including, 1.4.4. This is due to the plugin not properly verifying the existence of a multisite installation prior to allowing…
more
user meta to be added/modified. This makes it possible for authenticated attackers, with Administrator-level access and above, to gain elevated privileges on subsites that would otherwise be inaccessible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a privilege escalation flaw in a WordPress plugin that allows authenticated administrators to improperly add or modify user meta data in multisite environments, directly enabling T1068 Exploitation for Privilege Escalation to gain elevated access on subsites.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the plugin's improper multisite verification by requiring timely patching to prevent privilege escalation.
Least privilege enforcement limits the privileges available for escalation on subsites, countering the improper privilege management flaw.
Access enforcement mechanisms ensure proper verification of multisite context before allowing user meta modifications, mitigating the plugin's authorization bypass.