CVE-2024-4870: CWE-266 Incorrect Privilege Assignment in pokornydavid Frontend Registration – Contact Form 7
The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the '_cf7frr_' post meta. This makes it possible for authenticated attackers, with editor-level access and above, to modify the default user role in the registration form settings.
AI Analysis
Technical Summary
The Frontend Registration – Contact Form 7 plugin for WordPress suffers from an incorrect privilege assignment vulnerability (CWE-266) in versions up to and including 5.1. Authenticated attackers with editor-level access or above can exploit insufficient restrictions on the '_cf7frr_' post meta to alter the default user role configured in the registration form settings. This privilege escalation can compromise the integrity of user role assignments within affected WordPress sites.
Potential Impact
Successful exploitation allows attackers with editor-level privileges to modify the default user role in the registration form, potentially granting themselves or others elevated privileges. This can lead to full compromise of the WordPress site, including confidentiality, integrity, and availability impacts as reflected by the CVSS score of 7.2 (high).
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official patch or fix links are provided at this time. Until a fix is available, restrict editor-level access to trusted users only and monitor for suspicious changes to user roles within the plugin settings.
CVE-2024-4870: CWE-266 Incorrect Privilege Assignment in pokornydavid Frontend Registration – Contact Form 7
Description
The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the '_cf7frr_' post meta. This makes it possible for authenticated attackers, with editor-level access and above, to modify the default user role in the registration form settings.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Frontend Registration – Contact Form 7 plugin for WordPress suffers from an incorrect privilege assignment vulnerability (CWE-266) in versions up to and including 5.1. Authenticated attackers with editor-level access or above can exploit insufficient restrictions on the '_cf7frr_' post meta to alter the default user role configured in the registration form settings. This privilege escalation can compromise the integrity of user role assignments within affected WordPress sites.
Potential Impact
Successful exploitation allows attackers with editor-level privileges to modify the default user role in the registration form, potentially granting themselves or others elevated privileges. This can lead to full compromise of the WordPress site, including confidentiality, integrity, and availability impacts as reflected by the CVSS score of 7.2 (high).
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official patch or fix links are provided at this time. Until a fix is available, restrict editor-level access to trusted users only and monitor for suspicious changes to user roles within the plugin settings.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-05-14T13:28:23.376Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b97b7ef31ef0b557009
Added to database: 2/25/2026, 9:37:27 PM
Last enriched: 4/9/2026, 7:50:38 AM
Last updated: 4/12/2026, 5:14:27 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.