WordPress Email Notifications for Updates Plugin Privilege Escalation Vulnerability
Vulnerability
A vulnerability in the Email Notifications for Updates plugin for WordPress, affecting all versions through 1.1.6, allows for unauthorized data modification that could lead to privilege escalation. The issue arises from a missing capability check in the awun_import_settings() function, enabling authenticated attackers with Subscriber-level access or higher to update arbitrary options on the WordPress site. This vulnerability could be exploited to change the default role for new users to administrator and activate user registration, potentially granting administrative access to the attacker on the compromised site.
Impact
Exploitation of this vulnerability could allow an authenticated user with Subscriber-level access to gain administrative privileges on the WordPress site by manipulating user roles and registration settings.
Remediation
Users are advised to update the Email Notifications for Updates plugin to version 1.2.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.