CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21743 – WordPress Houzez Login Register plugin <= 3.2.5 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-21743
Privilege Escalation vulnerability in favethemes Houzez Login Register houzez-login-register.This issue affects Houzez Login Register: from n/a through 3.2.5. The Houzez Login Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.5. This is due to the houzez_agency_agent_update function not properly verifying a user's identity prior to allowing them to update user details like email address. This makes it possible for authenticated attackers, with subscriber-level access and above, to change any user's email, including administrators and reset the password therefore gaining access to the account. • https://patchstack.com/database/vulnerability/houzez-login-register/wordpress-houzez-login-register-plugin-3-2-5-privilege-escalation-vulnerability?_s_id=cve • CWE-266: Incorrect Privilege Assignment CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26009 – WordPress Houzez Login Register plugin <= 2.6.3 - Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-26009
Improper Privilege Management vulnerability in favethemes Houzez Login Register allows Privilege Escalation.This issue affects Houzez Login Register: from n/a through 2.6.3. Vulnerabilidad de gestión de privilegios incorrecta en favethemes Houzez Login Register permite la escalada de privilegios. Este problema afecta a Houzez Login Register: desde n/a hasta 2.6.3. The Houzez Login Register plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.3. This is due to improper assignment of privileges on user registration that allows users to supply their own role via the houzez_register AJAX action. • https://patchstack.com/database/vulnerability/houzez-login-register/wordpress-houzez-login-register-plugin-2-6-3-privilege-escalation?_s_id=cve • CWE-269: Improper Privilege Management •