CVE-2024-49644

High

Published: 07 January 2025

Published

07 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 48.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49644 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 48.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-11 (User-installed Software).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the incorrect privilege assignment flaw in the AllAccessible WordPress plugin via timely identification, testing, and patching.

CM-11 User-installed Software good match

prevent

Controls user-installed software like vulnerable WordPress plugins by requiring approval, verification, and monitoring to prevent deployment of components with privilege escalation flaws.

AC-6 Least Privilege good match

prevent

Enforces least privilege principle to restrict user access rights and mitigate successful exploitation of the plugin's privilege escalation vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Directly enables privilege escalation via exploitation of incorrect privilege assignment in authenticated WordPress context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Privilege Assignment vulnerability in AllAccessible Accessibility by AllAccessible allaccessible allows Privilege Escalation.This issue affects Accessibility by AllAccessible: from n/a through <= 1.3.4.

Deeper analysisAI

CVE-2024-49644 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the WordPress plugin Accessibility by AllAccessible, also referred to as allaccessible. This flaw enables privilege escalation and affects all versions of the plugin from its initial release through 1.3.4.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A low-privileged authenticated user can exploit it remotely with low complexity and without requiring user interaction, potentially achieving high-impact effects on confidentiality, integrity, and availability through escalated privileges.

Patchstack has documented the issue in its vulnerability database for WordPress plugins, with details available at https://patchstack.com/database/Wordpress/Plugin/allaccessible/vulnerability/wordpress-accessibility-by-allaccessible-plugin-1-3-4-privilege-escalation-vulnerability?_s_id=cve.

Details

CWE(s): CWE-266

CVEs Like This One

CVE-2026-27102Shared CWE-266

CVE-2025-69293Shared CWE-266

CVE-2026-25414Shared CWE-266

CVE-2025-31643Shared CWE-266

CVE-2025-33179Shared CWE-266

CVE-2026-27541Shared CWE-266

CVE-2025-69378Shared CWE-266

CVE-2025-24648Shared CWE-266

CVE-2025-1653Shared CWE-266

CVE-2025-23528Shared CWE-266

References

https://patchstack.com/database/Wordpress/Plugin/allaccessible/vulnerability/wordpress-accessibility-by-allaccessible-plugin-1-3-4-privilege-escalation-vulnerability?_s_id=cve
audit@patchstack.com