PT-2024-39545 · WordPress · Wordpress & Woocommerce Affiliate Program
Tonn
·
Published
2024-10-01
·
Updated
2024-10-08
·
CVE-2024-9289
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WordPress & WooCommerce Affiliate Program plugin versions up to, and including, 8.4.1
Description
The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass due to the
rtwwwap login request callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email.Recommendations
For WordPress & WooCommerce Affiliate Program plugin versions up to, and including, 8.4.1, update to a version later than 8.4.1 to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the site to minimize the risk of exploitation.
Fix
Missing Authentication
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wordpress & Woocommerce Affiliate Program