PT-2021-16164 · WordPress · The Registration Forms – User Profile

Ayecode Ltd

Published

2021-11-08

Updated

2021-11-10

CVE-2021-24647

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin versions prior to 3.1.7.6

Description The issue is related to a flaw in the social login implementation, allowing an unauthenticated attacker to login as any user on the site by only knowing their user id or username.

Recommendations For versions prior to 3.1.7.6, update to version 3.1.7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to social login features until the update is applied. Avoid using the username or user id parameters in sensitive operations until the issue is resolved.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2021-24647

Affected Products

The Registration Forms – User Profile

PT-2021-16164 · WordPress · The Registration Forms – User Profile

CVE-2021-24647

Weakness Enumeration

Related Identifiers

Affected Products

References · 3