FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-10284

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

Published: Nov 9, 2024 / Updated: 11d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This vulnerability is caused by a hardcoded encryption key in the 'ce21_authentication_phrase' function. As a result, unauthenticated attackers can potentially log in as any existing user on the site, including administrators, if they have access to the user's email.

Impact

This vulnerability has a severe impact on the security of WordPress sites using the affected CE21 Suite plugin. Attackers can bypass authentication and gain unauthorized access to user accounts, including those with administrative privileges. This could lead to complete compromise of the WordPress site, allowing attackers to: 1. Access and modify sensitive information 2. Install malicious plugins or themes 3. Deface the website 4. Use the compromised site for further attacks or to distribute malware 5. Delete or manipulate content 6. Access and potentially exfiltrate user data The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), indicating the highest severity level. This score reflects the ease of exploitation (low attack complexity, no user interaction required) and the potential for complete compromise of system confidentiality, integrity, and availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch for this vulnerability is not explicitly mentioned in the provided information. However, given that the vulnerability affects "versions up to, and including, 2.2.0" of the CE21 Suite plugin, it is likely that a patched version higher than 2.2.0 may be available or in development. The security team should check for updates to the CE21 Suite plugin and apply them as soon as they become available.

Mitigation

While waiting for an official patch, the security team should consider the following mitigation steps: 1. Temporarily disable the CE21 Suite plugin if it's not critical for operations. 2. If the plugin must remain active, implement additional security measures such as IP restrictions for admin access and multi-factor authentication. 3. Monitor WordPress sites for any suspicious login activities or unexpected admin account creations. 4. Regularly audit user accounts and their privileges, removing any suspicious or unnecessary admin accounts. 5. Keep WordPress core, themes, and other plugins up-to-date. 6. Consider using a Web Application Firewall (WAF) to help block potential exploit attempts. 7. Implement the principle of least privilege for all user accounts. 8. Educate users about the importance of using strong, unique passwords and keeping their email accounts secure. Given the critical nature of this vulnerability (CVSS score 9.8), patching or mitigating this issue should be given the highest priority in the security team's remediation efforts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-10284

Nov 9, 2024 at 3:15 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 9, 2024 at 3:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-10284. See article

Nov 9, 2024 at 3:24 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 9, 2024 at 3:24 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 9, 2024 at 9:55 AM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

Links to Mitre Att&cks

T1083: File and Directory Discovery
+null more

Attack Patterns

CAPEC-127: Directory Indexing
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 4, 2024 to November 10, 2024)
Vulnerabilities Archives - Wordfence / 5d
WordPress Plugins with Reported Vulnerabilities Last Week Use constructor to create tables profit-products-tables-for-woocommerce Add Ribbon Shortcode add-ribbon Admin Amplify wpr-admin-amplify Advanced Video Player with Analytics advanced-video-player-with-analytics Adventure Bucket List adventure-bucket-list AgendaPress – Easily Publish Meeting Agendas and Programs on WordPress agendapress Ajax Content Filter ajax-content-filter Alert Me!
US-CERT Vulnerability Summary for the Week of November 4, 2024
RedPacket Security / 7d
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available.
Vulnerability Summary for the Week of November 4, 2024
Bulletins / 7d
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info 1000 Projects--Beauty Parlour Management System A vulnerability, which was classified as critical, has been found in 1000 Projects Beauty Parlour Management System 1.0. This issue affects some unknown processing of the file /admin/admin-profile.php. The manipulation of the argument adminname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2024-11-10 7.3 CVE-2024-11055 1000 Projects--Bookstore Management System A vulnerability was found in 1000 Projects Bookstore Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /contact_process.php. The manipulation of the argument fnm leads to sql injection. The attack can be launched remotely.
NA - CVE-2024-10284 - The CE21 Suite plugin for WordPress is...
Security-Database Alerts Monitor : Last 100 Alerts / 10d
The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the...
CVE-2024-10284 | ce21com CE21 Suite Plugin up to 2.2.0 on WordPress ce21_authentication_phrase authentication bypass
VulDB Recent Entries / 10d
A vulnerability has been found in ce21com CE21 Suite Plugin up to 2.2.0 on WordPress and classified as critical . This vulnerability affects the function ce21_authentication_phrase . The manipulation leads to authentication bypass using alternate channel. This vulnerability was named CVE-2024-10284 . The attack can be initiated remotely. There is no exploit available.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 9.8(27010)CWE-288(210)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial