cbcvebase.
CVE-2024-8292
published 2024-09-06

CVE-2024-8292: The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to privilege escalation/account takeover in all versions up to, and…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.60%
44.4th percentile
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to privilege escalation/account takeover in all versions up to, and including, 16.26.8. This is due to to plugin not properly verifying a user's identity during new order creation. This makes it possible for unauthenticated attackers to supply any email through the user_email field and update the password for that user during new order creation. This requires the commerce addon to be enabled in order to exploit.

Affected

1 ranges
VendorProductVersion rangeFixed in
plechevandreywp-recall< 16.26.916.26.9
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.