Cyber Resilience

CVE-2024-2505

HighPublic PoC

Published: 29 April 2024

Published
29 April 2024
Modified
08 May 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0063 70.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2505 is a high-severity an unspecified weakness vulnerability in Gamipress Gamipress. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 29.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

The GamiPress WordPress plugin before 6.8.9's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles…

more

broken access control, enabling unauthorized users to modify critical GamiPress WordPress plugin before 6.8.9 configurations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Broken access control enables low-privileged Authors to exploit the vulnerability for privilege escalation (T1068) by manipulating plugin settings to grant unauthorized access (e.g., manage_options) to lower-privileged users like Subscribers, facilitating account manipulation (T1098).

Affected Assets

gamipress
gamipress
≤ 6.8.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References