CVE-2024-0324: CWE-284 Improper Access Control in cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.
AI Analysis
Technical Summary
The User Profile Builder plugin for WordPress suffers from an improper access control vulnerability (CWE-284) because the 'wppb_two_factor_authentication_settings_update' function lacks a capability check. This flaw allows unauthenticated attackers to change 2FA settings for any user role, potentially weakening security controls. The vulnerability affects all versions up to and including 3.10.8. The CVSS 3.1 base score is 8.2, reflecting high severity with network attack vector, no privileges required, no user interaction needed, and impact limited to integrity and low availability. No patch or official remediation has been provided by the vendor as of the published date.
Potential Impact
An unauthenticated attacker can modify two-factor authentication settings for arbitrary user roles in the plugin, potentially disabling 2FA protections and increasing the risk of unauthorized access to user accounts. This compromises the integrity of authentication controls and may lead to further exploitation. The vulnerability does not directly impact confidentiality but can reduce the overall security posture of affected WordPress sites using the plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider disabling or limiting the use of the affected plugin, especially the Premium 2FA features, or implement compensating controls to monitor and restrict unauthorized changes to authentication settings. Avoid exposing the WordPress installation to untrusted networks where unauthenticated attackers can reach the plugin functionality.
CVE-2024-0324: CWE-284 Improper Access Control in cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Description
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The User Profile Builder plugin for WordPress suffers from an improper access control vulnerability (CWE-284) because the 'wppb_two_factor_authentication_settings_update' function lacks a capability check. This flaw allows unauthenticated attackers to change 2FA settings for any user role, potentially weakening security controls. The vulnerability affects all versions up to and including 3.10.8. The CVSS 3.1 base score is 8.2, reflecting high severity with network attack vector, no privileges required, no user interaction needed, and impact limited to integrity and low availability. No patch or official remediation has been provided by the vendor as of the published date.
Potential Impact
An unauthenticated attacker can modify two-factor authentication settings for arbitrary user roles in the plugin, potentially disabling 2FA protections and increasing the risk of unauthorized access to user accounts. This compromises the integrity of authentication controls and may lead to further exploitation. The vulnerability does not directly impact confidentiality but can reduce the overall security posture of affected WordPress sites using the plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider disabling or limiting the use of the affected plugin, especially the Premium 2FA features, or implement compensating controls to monitor and restrict unauthorized changes to authentication settings. Avoid exposing the WordPress installation to untrusted networks where unauthenticated attackers can reach the plugin functionality.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-01-08T15:36:02.001Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aec332
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 4/9/2026, 6:52:53 PM
Last updated: 5/8/2026, 4:23:25 PM
Views: 66
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.