PT-2025-1970 · WordPress · Adforest
Chloe Chamberland
·
Published
2025-01-22
·
Updated
2025-01-27
·
CVE-2024-12857
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AdForest theme for WordPress versions up to, and including, 5.1.8
Description
The AdForest theme for WordPress is vulnerable to authentication bypass due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number. Thousands of sites may be at risk.
Recommendations
To safeguard sites, update to version 5.1.9. As a temporary workaround, consider disabling the OTP login by phone number feature until the issue is resolved. Restrict access to sensitive areas of the site to minimize the risk of exploitation. Avoid using the OTP login feature in the affected API endpoints until the issue is resolved.
Fix
Missing Authentication
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Adforest