CVE-2024-9988

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Crypto plugin for WordPress versions up to, and including, 2.15

Description The issue is related to authentication bypass due to missing validation on the user being supplied in the crypto connect ajax process::register function. This allows unauthenticated attackers to log in as any existing user, such as an administrator, if they have access to the username.

Recommendations For Crypto plugin for WordPress versions up to, and including, 2.15, update to a version that includes the necessary validation to prevent authentication bypass. As a temporary workaround, consider disabling the crypto connect ajax process::register function until a patch is available.

Fix

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288

Related Identifiers

CVE-2024-9988

Affected Products

Crypto++

CVE-2024-9988

Weakness Enumeration

Related Identifiers

Affected Products

References · 8