PT-2024-16716 · WordPress · Multimanager Wp
Khayal Farzaliyev
+1
·
Published
2024-11-13
·
Updated
2024-11-19
·
CVE-2024-11028
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
MultiManager WP – Manage All Your WordPress Sites Easily plugin for WordPress versions up to, and including, 1.0.5
Description
The issue is due to the user impersonation feature inappropriately determining the current user via user-supplied input, making it possible for unauthenticated attackers to generate an impersonation link that will allow them to log in as any existing user, such as an administrator. The user impersonation feature was disabled in version 1.1.0 and re-enabled with a patch in version 1.1.2.
Recommendations
For versions up to, and including, 1.0.5, update to version 1.1.2 or later to resolve the issue. As a temporary workaround, consider disabling the user impersonation feature until a patch is available. Restrict access to the vulnerable plugin to minimize the risk of exploitation. Avoid using the user impersonation feature in the affected plugin until the issue is resolved.
Fix
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Multimanager Wp