Skip to main content

Signup Page plugin CVE-2024-50475

CRITICAL
Missing Authorization (CWE-862)
2024-10-29 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL)
CVE Published
Oct 29, 2024 - 09:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Scott Gamon Signup Page signup-page allows Privilege Escalation.This issue affects Signup Page: from n/a through <= 1.0.

AnalysisAI

Privilege escalation in Scott Gamon's Signup Page WordPress plugin (versions up to and including 1.0) allows remote unauthenticated attackers to elevate privileges due to a missing authorization check (CWE-862). With a CVSS score of 9.8 and an EPSS score of 31.97% (97th percentile), this represents an elevated exploitation likelihood, though no public exploit is identified at time of analysis.

Technical ContextAI

The Signup Page plugin is a WordPress extension developed by Scott Gamon that handles user signup functionality. The root cause is CWE-862 (Missing Authorization), where the application fails to perform an authorization check before granting access to a sensitive function or resource. In the context of a signup/registration plugin, this typically means privileged actions (such as setting user roles or capabilities during registration) are exposed without proper capability checks via WordPress's current_user_can() or nonce verification mechanisms, allowing attackers to bypass the intended privilege model.

Affected ProductsAI

Scott Gamon Signup Page plugin for WordPress, all versions from n/a through and including 1.0 are affected. No CPE string was provided in the available data. The vendor advisory was not provided in references, but Patchstack typically publishes details at patchstack.com given audit@patchstack.com is the CNA for this CVE.

RemediationAI

No vendor-released patch identified at time of analysis - version 1.0 is the latest affected version with no fixed version disclosed in the available data. As a primary compensating control, deactivate and uninstall the Signup Page plugin until a patched release is published, since the affected functionality is the plugin's core purpose and partial mitigation is not feasible. If the plugin must remain active, restrict access to the WordPress registration endpoints via web application firewall rules (Patchstack, Wordfence, or equivalent virtual patching) and disable open user registration in WordPress Settings > General by unchecking 'Anyone can register,' though this may not block the vulnerable codepath if it bypasses standard registration. Monitor the Patchstack advisory database and the plugin's repository page on wordpress.org for a fixed version release.

Share

CVE-2024-50475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy