cleantalk
Vulnerabilities and Security Researches

The Ultimate WordPress Toolkit – WP Extended, CVE-2024-8121

CVE, Research URL

CVE-2024-8121

Home page URL

Security reports for The Ultimate WordPress Toolkit – WP Extended

Application

The Ultimate WordPress Toolkit – WP Extended

Published on
Sep 04, 2024
Research Description
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of user names due to a missing capability check on the wpext_change_admin_name() function in all versions up to, and including, 3.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change an admin's username to a username of their liking as long as the default 'admin' was used.
Affected versions
Min -, max 3.0.9.
Status
vulnerable
Previous vulnerability researches
The Ultimate WordPress Toolkit – WP Extended (CVE-2024-37259) , Jul 01, 2024
The Ultimate WordPress Toolkit – WP Extended (CVE-2024-13184) , Jan 20, 2025
The Ultimate WordPress Toolkit – WP Extended (CVE-2024-11916) , Jan 09, 2025
The Ultimate WordPress Toolkit – WP Extended (CVE-2024-11816) , Jan 09, 2025
The Ultimate WordPress Toolkit – WP Extended (CVE-2025-4963) , Jun 14, 2025
New vulnerability
DIOT SCADA with MQTT (CVE-2025-4216) , Jun 16, 2025
Simple Newsletter Plugin – Noptin (CVE-2025-49871) , Jun 16, 2025
Job Board Manager (CVE-2025-49324) , Jun 16, 2025
Bitly URL Shortener (CVE-2025-30629) , Jun 16, 2025
ACF Onyx Poll (CVE-2025-5841) , Jun 16, 2025