CVE-2024-9863: 
WordPress vulnerability analysis and mitigation

The UserPro plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-9863) discovered in versions up to and including 3.6.0. The vulnerability was disclosed on October 16, 2024, and affects the Miniorange OTP Verification with Firebase plugin. The issue stems from an insecure 'administrator' default value for the 'defaultuserrole' option (NVD).

The vulnerability is classified with a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness is categorized as CWE-266 (Incorrect Privilege Assignment). The technical issue allows unauthenticated attackers to register an administrator user even when the registration form is disabled, due to the insecure default configuration (Wordfence Report).

The vulnerability allows unauthenticated attackers to gain administrative privileges on affected WordPress installations. This level of access grants complete control over the WordPress site, including the ability to modify content, install or remove plugins and themes, and manage user accounts (NVD).

Site administrators running affected versions of the Miniorange OTP Verification with Firebase plugin should update to a patched version immediately. The vulnerability has been addressed in versions after 3.6.0 (Wordfence Report).