Skip to main content

Exam Matrix CVE-2024-50485

CRITICAL
Incorrect Privilege Assignment (CWE-266)
2024-10-29 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL)
CVE Published
Oct 29, 2024 - 09:15 nvd
N/A

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Udit Rawat Exam Matrix exam-matrix allows Privilege Escalation.This issue affects Exam Matrix: from n/a through <= 1.5.

AnalysisAI

Privilege escalation in the Udit Rawat Exam Matrix WordPress plugin (versions up to and including 1.5) allows remote unauthenticated attackers to gain elevated privileges due to incorrect privilege assignment (CWE-266). The CVSS 9.8 rating combined with an EPSS score of 21.91% (96th percentile) signals significant attacker interest, though there is no public exploit identified at time of analysis. The flaw permits full compromise of confidentiality, integrity, and availability of the affected WordPress site.

Technical ContextAI

Exam Matrix is a WordPress plugin developed by Udit Rawat that provides online exam/quiz functionality, typically used by educational sites. The root cause is CWE-266 (Incorrect Privilege Assignment), a class of weakness where the application grants a user a privilege or role level higher than intended - commonly seen in WordPress plugins that expose AJAX endpoints, registration handlers, or role-setting functions without properly restricting which capabilities can be assigned. In this class of bug, an attacker is typically able to register or update a user account with administrator-level capabilities by manipulating role parameters that the plugin fails to validate against the requester's actual permissions.

Affected ProductsAI

The vulnerability affects the Udit Rawat Exam Matrix WordPress plugin from an unspecified initial version through version 1.5 inclusive (the upper bound listed as '<= 1.5' with lower bound n/a). No CPE string was provided in the input data. The Patchstack advisory (audit@patchstack.com is the reporting CNA) at patchstack.com should be consulted for the canonical affected-version list and any vendor advisory URL.

RemediationAI

No vendor-released patch identified at time of analysis based on the supplied data; the description ends the affected range at <= 1.5 without naming a fixed version, so administrators should check the plugin's WordPress.org page and the Patchstack advisory (audit@patchstack.com) for an updated release beyond 1.5 and apply it once available. As compensating controls until a confirmed patched version is installed: deactivate and remove the Exam Matrix plugin entirely if exam functionality is not currently in use (zero side effect for non-users); if the plugin is required, restrict access to wp-admin and the plugin's AJAX/REST endpoints via web application firewall rules or .htaccess IP allowlisting (side effect: blocks legitimate remote admin access from non-allowlisted IPs); disable WordPress open user registration under Settings > General if it is not required (side effect: legitimate self-service signup is blocked); and audit existing WordPress users for unexpected administrator or editor accounts created since the plugin was installed, removing any not recognized.

Share

CVE-2024-50485 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy