CVE-2021-24158: 
WordPress vulnerability analysis and mitigation

CVE-2021-24158 is a privilege escalation vulnerability discovered in the Orbit Fox by ThemeIsle WordPress plugin versions prior to 2.10.3. The vulnerability was publicly disclosed on January 12, 2021, affecting sites with user registration enabled and either Elementor or Beaver Builder installed alongside Orbit Fox (WPScan).

The vulnerability exists in the registration form feature of Orbit Fox that integrates with both Elementor and Beaver Builder page builders. While administrators can set default user roles for new registrations, the user_role parameter was accessible to lower-privileged users despite being hidden from view. The vulnerability has been assigned a CVSS score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating its severe nature (Wordfence).

The vulnerability allows authenticated users with lower privileges to manipulate the default role setting for new user registrations, potentially creating new administrator accounts and completely compromising the affected WordPress site (WPScan).

The vulnerability was patched in Orbit Fox version 2.10.3. Site administrators are strongly advised to update to this version or later to prevent potential exploitation (Wordfence).