CVE-2021-24649 is a critical security vulnerability affecting the WP User Frontend WordPress plugin versions prior to 3.5.29. The vulnerability arises from improper authentication (CWE-287) in the plugin's user registration process. Specifically, the plugin accepts a user-supplied argument named 'urhidden' in its registration form, which encodes the role assigned to the newly created account. This role information is encrypted using the plugin's wpuf_encryption() function. However, if an attacker can obtain the WordPress site's AUTH_KEY and AUTH_SALT constants—either through an arbitrary file access vulnerability or if the site uses default, publicly known keys—they can decrypt or forge the 'urhidden' parameter. This enables the attacker to create accounts with arbitrary roles, including highly privileged roles such as administrator. The vulnerability does not require any prior authentication or user interaction, and can be exploited remotely over the network. The CVSS v3.1 base score is 9.8 (critical), reflecting the high impact on confidentiality, integrity, and availability. Exploitation allows full control over the WordPress site, including the ability to modify content, install malicious plugins, or pivot to other parts of the hosting environment. Although no known exploits in the wild have been reported, the ease of exploitation and the severity of impact make this a significant threat to WordPress sites using the vulnerable plugin versions. The vulnerability was publicly disclosed on November 21, 2022, and fixed in version 3.5.29 of the WP User Frontend plugin.

For European organizations using WordPress websites with the WP User Frontend plugin prior to version 3.5.29, this vulnerability poses a severe risk. Successful exploitation grants attackers administrator-level access, enabling them to manipulate website content, steal sensitive data, deploy malware, or use the compromised site as a launchpad for further attacks within the organization's network. This can lead to data breaches involving personal data protected under GDPR, reputational damage, service disruption, and potential regulatory penalties. Organizations in sectors such as e-commerce, government, education, and media, which often rely on WordPress for public-facing sites, are particularly at risk. The vulnerability's remote and unauthenticated nature means attackers can exploit it without needing prior access or user interaction, increasing the likelihood of automated scanning and exploitation attempts. Given the widespread use of WordPress across Europe, the impact could be broad, affecting both small businesses and large enterprises that have not updated the plugin or secured their AUTH_KEY and AUTH_SALT constants properly.

1. Immediate update of the WP User Frontend plugin to version 3.5.29 or later, where this vulnerability is patched. 2. Ensure that the WordPress AUTH_KEY and AUTH_SALT constants are unique, strong, and not set to default values. Regenerate these keys if there is any suspicion of compromise. 3. Restrict file system permissions to prevent unauthorized access to configuration files (such as wp-config.php) that contain the AUTH_KEY and AUTH_SALT constants. 4. Conduct regular security audits and vulnerability scans to detect outdated plugins and insecure configurations. 5. Implement web application firewalls (WAFs) with rules to detect and block suspicious requests targeting the 'urhidden' parameter or unusual account creation patterns. 6. Monitor WordPress user accounts for unexpected privilege escalations or new administrator accounts. 7. Educate site administrators on the importance of timely plugin updates and secure key management. 8. Consider disabling or restricting user registration if not required, or implement additional verification steps for new accounts to reduce risk.