Cyber Resilience

CVE-2024-49644

High

Published: 07 January 2025

Published
07 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 57.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49644 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 42.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-11 (User-installed Software).

Deeper analysis

CVE-2024-49644 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the WordPress plugin Accessibility by AllAccessible, also referred to as allaccessible. This flaw enables privilege escalation and affects all versions of the plugin from its initial release through 1.3.4.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A low-privileged authenticated user can exploit it remotely with low complexity and without requiring user interaction, potentially achieving high-impact effects on confidentiality, integrity, and availability through escalated privileges.

Patchstack has documented the issue in its vulnerability database for WordPress plugins, with details available at https://patchstack.com/database/Wordpress/Plugin/allaccessible/vulnerability/wordpress-accessibility-by-allaccessible-plugin-1-3-4-privilege-escalation-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Incorrect Privilege Assignment vulnerability in AllAccessible Accessibility by AllAccessible allaccessible allows Privilege Escalation.This issue affects Accessibility by AllAccessible: from n/a through <= 1.3.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Directly enables privilege escalation via exploitation of incorrect privilege assignment in authenticated WordPress context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42368Shared CWE-266
CVE-2025-69293Shared CWE-266
CVE-2026-42680Shared CWE-266
CVE-2025-69378Shared CWE-266
CVE-2026-27102Shared CWE-266
CVE-2025-22736Shared CWE-266
CVE-2024-40591Shared CWE-266
CVE-2026-48879Shared CWE-266
CVE-2025-33179Shared CWE-266
CVE-2026-25414Shared CWE-266

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the incorrect privilege assignment flaw in the AllAccessible WordPress plugin via timely identification, testing, and patching.

prevent

Controls user-installed software like vulnerable WordPress plugins by requiring approval, verification, and monitoring to prevent deployment of components with privilege escalation flaws.

prevent

Enforces least privilege principle to restrict user access rights and mitigate successful exploitation of the plugin's privilege escalation vulnerability.

References