CVE-2024-56040: 
WordPress vulnerability analysis and mitigation

CVE-2024-56040 is an Incorrect Privilege Assignment vulnerability affecting VibeThemes VibeBP WordPress plugin versions through 1.9.9.4.1. The vulnerability was discovered by Rafie Muhammad and disclosed on December 17, 2024, with a CVSS score of 9.8 (Critical) (Patchstack Database).

The vulnerability exists in the vibebpregisteruser function within includes/class.ajax.php. The function processes registration form submissions but fails to properly validate user roles during registration. The vulnerability allows attackers to arbitrarily set the $settings object and manipulate the $userargs['role'] value, which is then used in wpinsertuser($userargs) without proper validation (Bleeping Computer).

This vulnerability allows unauthenticated attackers to register as privileged users, potentially gaining administrator-level access to the affected WordPress site. The critical severity rating (CVSS 9.8) indicates the potential for complete system compromise if successfully exploited (Patchstack Database).

Users should immediately update to VibeBP version 1.9.9.5 or later, which implements proper role validation during user registration. The patch ensures users can only register with specifically acceptable roles configured from the registration form settings (Patchstack Database).