CVE-2024-10800: 
WordPress vulnerability analysis and mitigation

The WordPress User Extra Fields plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-10800) discovered in versions up to and including 16.6. The vulnerability was disclosed on November 13, 2024, and affects the plugin's capability checking mechanism (NVD).

The vulnerability stems from a missing capability check in the ajaxsavefields() function. This security flaw allows authenticated attackers with subscriber-level access or higher to add custom fields and subsequently exploit the checkandoverwritewporwoocommercefields function to modify the wp_capabilities field, effectively granting themselves administrator privileges. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Wordfence).

The vulnerability allows authenticated attackers to escalate their privileges to administrator level, potentially gaining full control over the WordPress installation. This could lead to complete site compromise, as administrator access permits modification of site content, plugin and theme management, user administration, and access to sensitive site settings (NVD).

Site administrators should immediately update the WordPress User Extra Fields plugin to version 16.7 or later, which contains security improvements that address this vulnerability (Product).