CVE-2024-0324 in User Profile Builder Plugin
Summary
by MITRE • 02/06/2024
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2024-0324 affects the User Profile Builder plugin for WordPress, specifically targeting versions up to and including 3.10.8. This plugin serves as a comprehensive user management solution that allows administrators to create custom registration forms, user profiles, and manage user roles within WordPress environments. The issue stems from a critical authorization flaw in the plugin's codebase where proper capability checks are absent for a specific administrative function. The vulnerability is particularly concerning as it directly impacts the security posture of WordPress installations by allowing unauthorized modification of critical user authentication settings. The affected function 'wppb_two_factor_authentication_settings_update' operates without verifying whether the requesting user possesses the necessary administrative privileges to modify two-factor authentication configurations. This missing capability check creates an exploitable condition that bypasses WordPress's standard permission system and allows any unauthenticated attacker to manipulate the two-factor authentication settings for user roles.
The technical exploitation of this vulnerability occurs through the absence of proper authentication verification within the plugin's administrative interface. When an attacker sends a request to modify two-factor authentication settings, the plugin fails to validate whether the request originates from a legitimate administrator with appropriate permissions. This flaw directly violates the principle of least privilege and allows attackers to enable or disable two-factor authentication functionality for arbitrary user roles within the system. The vulnerability can be leveraged to disable security features that protect user accounts, potentially leading to account takeovers and unauthorized access to sensitive user data. The impact extends beyond simple configuration changes as disabling two-factor authentication removes an important layer of security that protects against credential theft and unauthorized access attempts. This vulnerability specifically affects the premium version functionality of the plugin, making it particularly dangerous as it targets enhanced security features that organizations rely upon to protect their user base.
From an operational perspective, this vulnerability creates significant risk for WordPress administrators and organizations that depend on the User Profile Builder plugin for user management. Attackers can exploit this weakness to undermine the security of user accounts by disabling two-factor authentication mechanisms that are critical for protecting against credential compromise. The vulnerability's impact is amplified because it affects user roles rather than individual accounts, potentially allowing attackers to disable security measures for multiple users simultaneously. This makes the vulnerability particularly dangerous in environments where administrators rely on two-factor authentication as a primary security control for user access management. Organizations using this plugin may experience unauthorized modification of security configurations, potentially leading to data breaches, account hijacking, and compromised user data integrity. The vulnerability also creates a persistent risk as it remains exploitable until the plugin is updated to include proper capability checks, leaving systems exposed during the period between vulnerability disclosure and patch implementation.
Mitigation strategies for CVE-2024-0324 should prioritize immediate plugin updates to versions that include proper capability checks and authentication validation. Administrators should implement network-level protections including firewalls and intrusion detection systems to monitor for suspicious administrative requests that may indicate exploitation attempts. The implementation of additional security layers such as web application firewalls and monitoring of administrative API endpoints can help detect and prevent exploitation attempts. Organizations should also conduct immediate vulnerability assessments to identify if any unauthorized modifications have occurred within their WordPress installations. Regular security audits of plugin installations and user management configurations are essential to maintain system integrity. The vulnerability aligns with CWE-284 which addresses improper access control and ATT&CK technique T1078 which covers valid accounts for gaining access. Security teams should also consider implementing principle of least privilege configurations and regular security training for administrators to reduce the risk of exploitation and ensure proper security practices are maintained across the organization.