The vulnerability identified as CVE-2024-12822 affects the Media Manager for UserPro plugin for WordPress, developed by DeluxeThemes. The root cause is a missing capability check in the add_capto_img() function, which is responsible for managing media-related capabilities. This flaw allows unauthenticated attackers to invoke this function and update arbitrary WordPress options without any authorization. Specifically, attackers can modify the default role assigned to new user registrations, setting it to administrator, and enable user registration on the site. Consequently, attackers can create new accounts with administrative privileges, effectively gaining full control over the WordPress site. The vulnerability affects all versions up to and including 3.11.0. The CVSS 3.1 base score is 9.8 (critical), reflecting the vulnerability's network attack vector, low attack complexity, no privileges or user interaction required, and its impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's nature makes it highly exploitable. The lack of a patch link suggests that a fix may not yet be available, increasing the urgency for mitigation. This vulnerability falls under CWE-862 (Missing Authorization), highlighting a failure to enforce proper access controls.

The impact of CVE-2024-12822 is severe for organizations using the Media Manager for UserPro plugin on WordPress sites. Successful exploitation results in complete site compromise, as attackers can escalate privileges to administrator level without authentication. This enables attackers to manipulate site content, install malicious plugins or backdoors, steal sensitive data, deface websites, or disrupt availability. The compromise of administrator accounts undermines the confidentiality, integrity, and availability of the affected WordPress sites. Given WordPress's widespread use for business, e-commerce, and content management, this vulnerability poses a significant risk to organizations globally. Attackers could leverage this flaw to conduct further lateral movement within networks or use compromised sites as platforms for phishing or malware distribution. The absence of required privileges or user interaction lowers the barrier for exploitation, increasing the likelihood of attacks once exploit code becomes available.

1. Immediate mitigation should focus on disabling user registration on affected WordPress sites if it is not required, to prevent attackers from creating new administrator accounts. 2. Restrict access to the Media Manager for UserPro plugin files and functions via web application firewalls (WAFs) or security plugins that can block unauthorized requests to the add_capto_img() function. 3. Monitor WordPress site logs for suspicious activity related to option updates or new user registrations with elevated privileges. 4. If possible, manually audit and reset the default user role to a non-administrative role and disable any unauthorized administrator accounts created. 5. Keep the WordPress core and all plugins updated; watch for an official patch release from DeluxeThemes and apply it immediately upon availability. 6. Employ principle of least privilege for all WordPress users and regularly review user roles and permissions. 7. Consider implementing multi-factor authentication (MFA) for all administrator accounts to reduce the impact of compromised credentials. 8. Backup WordPress sites regularly and verify backup integrity to enable recovery in case of compromise.