Insecure Password Reset Vulnerability in Flight Plugin for WordPress
CVE-2024-9302

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: App Builder – Create Native Android & iOS Apps On The Flight
Vendor: CVE Published:; 25 October 2024

What is CVE-2024-9302?

The App Builder plugin for WordPress has an identified vulnerability that allows for privilege escalation through improper handling of OTP (One-Time Password) requests. This affects all versions of the plugin up to and including 5.3.7. The functions responsible for verifying OTPs and updating passwords lack sufficient security controls, which permits unauthenticated attackers to exploit these weaknesses. By brute forcing the OTP, an attacker can potentially gain access to any user's account, including those of administrators, and alter their passwords. This vulnerability spotlights the critical need for robust verification processes in password management functionalities to safeguard user accounts.

Affected Version(s)

App Builder – Create Native Android & iOS Apps On The Flight * <= 5.3.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/app-builder/ta...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2024
Vulnerability Reserved
Sep 27, 2024

Credit

wesley

Wordpress

What is CVE-2024-9302?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit