CVE-2024-9933

Name of the Vulnerable Software and Affected Versions WatchTowerHQ plugin for WordPress versions up to, and including, 3.9.6

Description The issue is related to authentication bypass. This is due to the watchtower ota token default value being empty and the missing not empty check in the Password Less Access::login function. This allows unauthenticated attackers to log in to the WatchTowerHQ client administrator user.

Recommendations For versions up to, and including, 3.9.6, consider disabling the Password Less Access::login function until a patch is available to prevent unauthenticated access. Restrict access to the WatchTowerHQ plugin to minimize the risk of exploitation. Avoid using the default watchtower ota token value in the affected login functionality until the issue is resolved.