CVE-2024-12821: 
WordPress vulnerability analysis and mitigation

The Media Manager for UserPro plugin for WordPress (CVE-2024-12821) contains a missing authorization vulnerability that affects all versions up to and including 3.12.0. The vulnerability was discovered and disclosed on January 30, 2025 (NVD, Wordfence).

The vulnerability stems from a missing capability check in the upmuploadmedia() function. This security flaw allows authenticated users with Subscriber-level access or higher to update arbitrary options on the WordPress site. The vulnerability has received a CVSS v3.1 base score of 8.8 (High) from Wordfence and 6.5 (Medium) from NVD, indicating its significant security impact (NVD).

The vulnerability enables authenticated attackers to update arbitrary options on the WordPress site. Most critically, attackers can modify the default role for new user registrations to administrator and enable user registration, ultimately allowing them to gain administrative access to the vulnerable site (NVD).

Site administrators should immediately update the Media Manager for UserPro plugin to a version newer than 3.12.0 if available. Until an update is applied, it is recommended to restrict user registration and review user roles and permissions (NVD).