CVE-2024-7493: CWE-269 Improper Privilege Management in whyun WPCOM Member
The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registration. This makes it possible for unauthenticated attackers to update their role to that of an administrator during registration.
AI Analysis
Technical Summary
CVE-2024-7493 is a critical privilege escalation vulnerability in the WPCOM Member plugin for WordPress, affecting all versions up to and including 1.5.2.1. The vulnerability arises because the plugin improperly allows arbitrary data to be passed to the wp_insert_user() function during registration. This flaw enables unauthenticated attackers to escalate their privileges by setting their user role to administrator upon registration. The vulnerability is classified under CWE-269 (Improper Privilege Management) and has a CVSS 3.1 base score of 9.8, reflecting high impact on confidentiality, integrity, and availability. There is currently no vendor-provided patch or official remediation guidance available.
Potential Impact
Successful exploitation allows unauthenticated attackers to gain administrator privileges on affected WordPress sites using the WPCOM Member plugin. This can lead to full control over the site, including the ability to modify content, install malicious code, and compromise site integrity and availability. The critical CVSS score of 9.8 reflects the high potential impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, it is recommended to disable or remove the WPCOM Member plugin to prevent exploitation. Monitor official vendor channels for updates and apply patches promptly once available.
CVE-2024-7493: CWE-269 Improper Privilege Management in whyun WPCOM Member
Description
The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registration. This makes it possible for unauthenticated attackers to update their role to that of an administrator during registration.
CVSS v3.1
Score 9.8critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-7493 is a critical privilege escalation vulnerability in the WPCOM Member plugin for WordPress, affecting all versions up to and including 1.5.2.1. The vulnerability arises because the plugin improperly allows arbitrary data to be passed to the wp_insert_user() function during registration. This flaw enables unauthenticated attackers to escalate their privileges by setting their user role to administrator upon registration. The vulnerability is classified under CWE-269 (Improper Privilege Management) and has a CVSS 3.1 base score of 9.8, reflecting high impact on confidentiality, integrity, and availability. There is currently no vendor-provided patch or official remediation guidance available.
Potential Impact
Successful exploitation allows unauthenticated attackers to gain administrator privileges on affected WordPress sites using the WPCOM Member plugin. This can lead to full control over the site, including the ability to modify content, install malicious code, and compromise site integrity and availability. The critical CVSS score of 9.8 reflects the high potential impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, it is recommended to disable or remove the WPCOM Member plugin to prevent exploitation. Monitor official vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-08-05T15:06:30.037Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c18b7ef31ef0b55fe38
Added to database: 2/25/2026, 9:39:36 PM
Last enriched: 4/9/2026, 8:18:42 AM
Last updated: 5/29/2026, 7:13:17 PM
Views: 20
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.