CVE-2024-56000

Critical

Published: 18 February 2025

Published

18 February 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56000 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely remediation of the flawed K Elements plugin by patching to version 5.4.0 or later directly eliminates the incorrect privilege assignment vulnerability.

AC-6 Least Privilege good match

prevent

Enforcing least privilege directly counters privilege escalation from incorrect privilege assignments in the plugin.

AC-2 Account Management good match

prevent

Account management processes ensure proper identification, provisioning, and review of privileges to prevent unauthorized escalations like those in CVE-2024-56000.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct unauthenticated remote privilege escalation via public-facing WordPress plugin flaw enables T1190 exploitation and T1068 escalation to account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Privilege Assignment vulnerability in SeventhQueen K Elements k-elements allows Privilege Escalation.This issue affects K Elements: from n/a through < 5.4.0.

Deeper analysisAI

CVE-2024-56000 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the SeventhQueen K Elements WordPress plugin, enabling privilege escalation. The issue affects all versions of the K Elements plugin from n/a through those prior to 5.4.0.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction. Exploitation allows attackers to achieve unauthenticated account takeover, resulting in high impacts to confidentiality, integrity, and availability through elevated privileges on the affected WordPress site.

The Patchstack advisory recommends updating the K Elements plugin to version 5.4.0 or later to mitigate this vulnerability.

Details

CWE(s): CWE-266

CVEs Like This One

CVE-2026-32520Shared CWE-266

CVE-2025-44655Shared CWE-266

CVE-2026-27051Shared CWE-266

CVE-2026-23800Shared CWE-266

CVE-2026-32519Shared CWE-266

CVE-2026-32488Shared CWE-266

CVE-2026-32916Shared CWE-266

CVE-2025-68869Shared CWE-266

CVE-2026-23550Shared CWE-266

CVE-2026-24968Shared CWE-266

References

https://patchstack.com/database/Wordpress/Plugin/k-elements/vulnerability/wordpress-k-elements-plugin-5-2-0-unauthenticated-account-takeover-vulnerability?_s_id=cve
audit@patchstack.com