|
|
|||
| Rule General Information |
|---|
| Release Date: | 2025-01-14 | |
| Rule Name: | WordPress Plugin Crypto 2.15 Authentication Bypass Vulnerability (CVE-2024-9989) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username. | |
| Impact: | An unauthorized remote attacker can bypass authentication and gain access to the application with specially crafted requests. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | https://plugins.trac.wordpress.org/browser/crypto/tags/2.10/includes/class-crypto_connect_ajax_register.php#L138 https://plugins.trac.wordpress.org/browser/crypto/tags/2.10/includes/class-crypto_connect_ajax_register.php#L33 https://www.wordfence.com/threat-intel/vulnerabilities/id/e21bd924-1d96-4371-972a-5c99d67261cc?source=cve |
|
| Solutions |
|---|
| Please contact the software vendor to update the software patch. |