CVE-2024-8420
Published: 28 February 2025
Summary
CVE-2024-8420 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Sitesao Dhvc Form. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-8420 is a privilege escalation vulnerability in the DHVC Form plugin for WordPress, affecting all versions up to and including 2.4.7. The flaw stems from the plugin permitting users to supply the 'role' field during registration, which allows attackers to self-assign elevated privileges.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation enables remote registration as a site administrator, granting full control over the WordPress installation and potentially leading to unauthorized access, data exfiltration, modification, or deletion (related to CWE-266 and CWE-269).
Advisories detailing mitigation are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d51a0c-c625-4732-b345-df02971fbffa?source=cve and the plugin page on CodeCanyon at https://codecanyon.net/item/dhvc-form-wordpress-form-for-visual-composer/8326593.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53961
Vulnerability details
The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for…
more
unauthenticated attackers to register as an administrator on sites.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly enables remote exploitation of a public-facing WordPress plugin (T1190) resulting in unauthenticated privilege escalation to admin (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates user-supplied 'role' field during registration to prevent attackers from assigning themselves administrator privileges.
Ensures accounts and roles are created and assigned according to defined policies by authorized managers, blocking self-registration as administrator.
Enforces least privilege principle to restrict access even if improper role assignment occurs during registration.