Cyber Resilience

CVE-2024-8420

Critical

Published: 28 February 2025

Published
28 February 2025
Modified
06 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8420 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Sitesao Dhvc Form. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-8420 is a privilege escalation vulnerability in the DHVC Form plugin for WordPress, affecting all versions up to and including 2.4.7. The flaw stems from the plugin permitting users to supply the 'role' field during registration, which allows attackers to self-assign elevated privileges.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation enables remote registration as a site administrator, granting full control over the WordPress installation and potentially leading to unauthorized access, data exfiltration, modification, or deletion (related to CWE-266 and CWE-269).

Advisories detailing mitigation are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/e4d51a0c-c625-4732-b345-df02971fbffa?source=cve and the plugin page on CodeCanyon at https://codecanyon.net/item/dhvc-form-wordpress-form-for-visual-composer/8326593.

EU & UK References

Vulnerability details

The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for…

more

unauthenticated attackers to register as an administrator on sites.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE directly enables remote exploitation of a public-facing WordPress plugin (T1190) resulting in unauthenticated privilege escalation to admin (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26725Shared CWE-269
CVE-2026-31070Shared CWE-269
CVE-2026-23550Shared CWE-266
CVE-2026-32520Shared CWE-266
CVE-2024-9636Shared CWE-269
CVE-2025-67953Shared CWE-266
CVE-2024-32555Shared CWE-266
CVE-2026-27983Shared CWE-266
CVE-2025-13675Shared CWE-269
CVE-2026-46837Shared CWE-269

Affected Assets

sitesao
dhvc form
≤ 2.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates user-supplied 'role' field during registration to prevent attackers from assigning themselves administrator privileges.

prevent

Ensures accounts and roles are created and assigned according to defined policies by authorized managers, blocking self-registration as administrator.

prevent

Enforces least privilege principle to restrict access even if improper role assignment occurs during registration.

References