CVE-2024-1991: 
WordPress vulnerability analysis and mitigation

The RegistrationMagic WordPress plugin (versions up to and including 5.3.0.0) contains a privilege escalation vulnerability identified as CVE-2024-1991. The vulnerability stems from a missing capability check in the updateusersrole() function, which allows authenticated users with subscriber-level access or higher to escalate their privileges to administrator level (NVD CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified under CWE-862 (Missing Authorization) and affects the plugin's user role management functionality. The vulnerability exists in the updateusersrole() function where proper authorization checks are absent, allowing authenticated users to modify their privileges (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with subscriber-level access or higher to elevate their privileges to administrator level. This could lead to complete site compromise, as administrator access enables full control over the WordPress installation, including the ability to modify site content, install malicious plugins, and access sensitive information (Hacker News).

The vulnerability has been patched in version 5.3.1.0 of the RegistrationMagic plugin. Site administrators are strongly advised to update to this version immediately to prevent potential exploitation (Hacker News).