Authentication Bypass Vulnerability in WordPress Crypto Plugin
CVE-2024-9989

9.8CRITICAL

Key Information:

Vendor
Wordpress
Status
Crypto Tool
Vendor
CVE Published:
29 October 2024

Summary

The Crypto plugin for WordPress has a significant security flaw that allows unauthenticated attackers to bypass authentication protocols. This vulnerability stems from a limited arbitrary method call in the 'crypto_connect_ajax_process::log_in' function, which does not properly verify user credentials before permitting access. As a result, attackers can potentially gain unauthorized access as any user, including administrators, by simply knowing the target username. This flaw emphasizes the importance of keeping plugins updated to protect user data and site integrity.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/crypto/tags/2....
https://plugins.trac.wordpress.org/browser/crypto/tags/2....

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.