PT-2025-1970 · WordPress · Adforest
Chloe Chamberland
·
Publicado
2025-01-22
·
Atualizado
2025-01-27
·
CVE-2024-12857
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AdForest theme for WordPress versions up to, and including, 5.1.8
Description
The AdForest theme for WordPress is vulnerable to authentication bypass due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number. Thousands of sites may be at risk.
Recommendations
To safeguard sites, update to version 5.1.9. As a temporary workaround, consider disabling the OTP login by phone number feature until the issue is resolved. Restrict access to sensitive areas of the site to minimize the risk of exploitation. Avoid using the OTP login feature in the affected API endpoints until the issue is resolved.
Correção
Missing Authentication
Authentication Bypass Using an Alternate Path or Channel
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Adforest