Meetup WordPress Plugin CVE-2024-50483
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Tareq Hasan Meetup meetup allows Privilege Escalation.This issue affects Meetup: from n/a through <= 0.1.
AnalysisAI
Privilege escalation in Tareq Hasan's Meetup WordPress plugin (versions through 0.1) allows remote unauthenticated attackers to bypass authorization checks via user-controlled key manipulation. With EPSS at 65.62% (98th percentile), exploitation probability is high, though no public exploit identified at time of analysis. Patchstack reported this CVSS 9.8 issue affecting a WordPress ecosystem plugin.
Technical ContextAI
The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), an Insecure Direct Object Reference (IDOR) class flaw where the application uses a user-supplied identifier (such as a user ID, object ID, or session key) without verifying that the requester is authorized to act on that resource. The affected component is the Meetup plugin by Tareq Hasan (CPE: cpe:2.3:a:tareqhasan:meetup:*:*:*:*:*:wordpress:*:*), which integrates with WordPress to manage meetup functionality. In WordPress plugin contexts, this class of bug typically appears in AJAX handlers or REST endpoints that accept a user-controlled parameter and act on it without calling current_user_can() or comparing against the authenticated session's user ID, enabling horizontal or vertical privilege escalation.
RemediationAI
No vendor-released patch identified at time of analysis - the advisory indicates the vulnerability affects all versions up to and including 0.1 with no fixed version listed. Given the absence of a patched release, the most defensible action is to deactivate and remove the Meetup plugin from affected WordPress installations until the maintainer publishes a fix; this fully eliminates exposure but obviously removes plugin functionality. As a compensating control if removal is not acceptable, restrict access to the plugin's AJAX endpoints (admin-ajax.php actions registered by the plugin) and any custom REST routes via a Web Application Firewall rule that requires authenticated sessions and validates that user-supplied ID parameters match the requester's user ID - this preserves functionality at the cost of WAF tuning effort and potential breakage of legitimate workflows. Monitor the Patchstack advisory page and the plugin's repository for an updated release.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today