PT-2024-39945 · WordPress · Extensions By Hocwp Team

István Márton

Published

2024-10-26

Updated

2024-10-28

CVE-2024-9930

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Extensions by HocWP Team plugin for WordPress versions up to, and including, 0.2.3.2

Description The issue is related to authentication bypass due to missing validation on the user being supplied in the verify email action. This allows unauthenticated attackers to log in as any existing user, including administrators, by exploiting the vulnerability in the Account extension.

Recommendations For versions up to, and including, 0.2.3.2, consider disabling the verify email action until a patch is available to prevent exploitation. Restrict access to the Account extension to minimize the risk of unauthorized login. Avoid using the verify email action in the affected plugin until the issue is resolved.

Fix

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288

Related Identifiers

CVE-2024-9930

Affected Products

Extensions By Hocwp Team

PT-2024-39945 · WordPress · Extensions By Hocwp Team

CVE-2024-9930

Weakness Enumeration

Related Identifiers

Affected Products

References · 5