Wp NssUser Register CVE-2024-54363
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in saiful.total Wp NssUser Register wp-nssuser-register allows Privilege Escalation.This issue affects Wp NssUser Register: from n/a through <= 1.0.0.
AnalysisAI
Privilege escalation in the Wp NssUser Register WordPress plugin (versions through 1.0.0) by saiful.total allows remote unauthenticated attackers to gain elevated privileges due to incorrect privilege assignment. With a CVSS of 9.8 and an EPSS of 31.93% (97th percentile), this represents elevated exploitation likelihood relative to most CVEs, though no public exploit identified at time of analysis. The flaw permits full compromise of confidentiality, integrity, and availability of affected WordPress installations.
Technical ContextAI
Wp NssUser Register is a third-party WordPress plugin developed by saiful.total that extends WordPress's native user registration functionality. The root cause is CWE-266 (Incorrect Privilege Assignment), meaning the plugin's registration or role-handling code assigns higher privileges than intended - likely allowing self-registered users to obtain administrative or otherwise elevated WordPress roles instead of being constrained to a low-privilege role such as 'subscriber'. WordPress role-based access control depends on correct capability assignment at user creation; when a plugin overrides default behavior without proper validation, it can effectively bypass the entire WordPress permission model.
Affected ProductsAI
The vulnerability affects the Wp NssUser Register WordPress plugin (slug: wp-nssuser-register) by author saiful.total, in all versions from initial release through and including 1.0.0. No CPE strings were provided in the source data. The advisory was issued by Patchstack (audit@patchstack.com), which typically publishes details at patchstack.com/database; consult Patchstack's CVE-2024-54363 entry for the authoritative affected-version listing.
RemediationAI
No vendor-released patch identified at time of analysis - the advisory indicates the vulnerability affects versions up to and including 1.0.0 with no fixed version specified. The recommended remediation is to deactivate and uninstall the Wp NssUser Register plugin immediately, as the plugin appears to be unmaintained and the only confirmed affected version is also the latest version. If the plugin's functionality is required, restrict access to the registration endpoint at the web server or WAF layer (e.g., block or rate-limit requests to the plugin's registration handler), audit all existing WordPress user accounts for unexpected administrator or editor roles, and rotate credentials and secrets for any account that may have been compromised - these controls reduce exposure but do not eliminate the underlying flaw. Consult the Patchstack advisory for CVE-2024-54363 for updated guidance if a patched version is later released.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today