CVE-2024-2931: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in syammohanm WPFront User Role Editor
The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfront_user_role_editor_assign_roles_user_autocomplete AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract retrieve a list of all user email addresses who are registered on the site.
AI Analysis
Technical Summary
CVE-2024-2931 is a CWE-200 vulnerability in the WPFront User Role Editor WordPress plugin that allows authenticated users with subscriber-level privileges or higher to exploit the wpfront_user_role_editor_assign_roles_user_autocomplete AJAX action to extract email addresses of all registered users on the site. This information disclosure affects all plugin versions up to 3.2.1.11184. The vulnerability does not require user interaction and has a low attack complexity but requires authentication.
Potential Impact
An attacker with subscriber-level access can obtain the email addresses of all users registered on the WordPress site using the vulnerable plugin. This exposure of sensitive information could facilitate phishing or targeted social engineering attacks but does not directly compromise system integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting subscriber-level access or disabling the vulnerable AJAX action if possible. Monitor for updates from the plugin vendor regarding patches or official mitigations.
CVE-2024-2931: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in syammohanm WPFront User Role Editor
Description
The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfront_user_role_editor_assign_roles_user_autocomplete AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract retrieve a list of all user email addresses who are registered on the site.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-2931 is a CWE-200 vulnerability in the WPFront User Role Editor WordPress plugin that allows authenticated users with subscriber-level privileges or higher to exploit the wpfront_user_role_editor_assign_roles_user_autocomplete AJAX action to extract email addresses of all registered users on the site. This information disclosure affects all plugin versions up to 3.2.1.11184. The vulnerability does not require user interaction and has a low attack complexity but requires authentication.
Potential Impact
An attacker with subscriber-level access can obtain the email addresses of all users registered on the WordPress site using the vulnerable plugin. This exposure of sensitive information could facilitate phishing or targeted social engineering attacks but does not directly compromise system integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting subscriber-level access or disabling the vulnerable AJAX action if possible. Monitor for updates from the plugin vendor regarding patches or official mitigations.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-03-26T15:42:54.988Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6dbab7ef31ef0b58d3e6
Added to database: 2/25/2026, 9:46:34 PM
Last enriched: 4/9/2026, 7:54:56 PM
Last updated: 4/12/2026, 1:36:33 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.