CVE-2024-49604

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

Published: Oct 20, 2024 / Updated: 30d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

Authentication Bypass Using an Alternate Path or Channel vulnerability in Najeeb Ahmad Simple User Registration allows Authentication Bypass. This issue affects Simple User Registration from an unspecified version through version 5.5.

Impact

This vulnerability allows attackers to bypass authentication mechanisms in the Simple User Registration system. With a CVSS base score of 9.8 (Critical), it poses a severe risk. Successful exploitation could lead to unauthorized access to user accounts and sensitive information, potentially compromising the confidentiality, integrity, and availability of the system. Attackers may gain high-level privileges without proper authentication, allowing them to perform unauthorized actions, modify user data, or disrupt system operations.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects Simple User Registration through version 5.5, it's likely that a fix will be available in a version newer than 5.5. Users and administrators should monitor for updates from Najeeb Ahmad, the developer of Simple User Registration.

Mitigation

1. Update Simple User Registration to a version newer than 5.5 as soon as a patched version becomes available. 2. Implement additional authentication layers or multi-factor authentication if possible. 3. Monitor system logs for any suspicious authentication attempts or unusual access patterns. 4. Limit network access to the Simple User Registration system to trusted IP addresses or VPNs. 5. Regularly review and audit user accounts and access privileges. 6. Consider temporarily disabling the Simple User Registration system if it's not critical, until a patch is available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-49604

Oct 20, 2024 at 8:15 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 20, 2024 at 8:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-49604. See article

Oct 20, 2024 at 8:23 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 20, 2024 at 8:23 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 21, 2024 at 10:12 AM
Static CVE Timeline Graph

Affected Systems

Najeebmedia/simple_user_registration
+null more

Links to Mitre Att&cks

T1083: File and Directory Discovery
+null more

Attack Patterns

CAPEC-127: Directory Indexing
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024)
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
NA - CVE-2024-49604 - Authentication Bypass Using an Alternate Path...
Authentication Bypass Using an Alternate Path or Channel vulnerability in Najeeb Ahmad Simple User Registration allows Authentication Bypass.This issue affects Simple User Registration: from n/a...
CVE-2024-49604
Critical Severity Description Authentication Bypass Using an Alternate Path or Channel vulnerability in Najeeb Ahmad Simple User Registration allows Authentication Bypass.This issue affects Simple User Registration: from n/a through 5.5. Read more at https://www.tenable.com/cve/CVE-2024-49604
CVE-2024-49604 | Najeeb Ahmad Simple User Registration Plugin up to 5.5 on WordPress authentication bypass
A vulnerability classified as critical was found in Najeeb Ahmad Simple User Registration Plugin up to 5.5 on WordPress. This vulnerability affects unknown code. The manipulation leads to authentication bypass using alternate channel. This vulnerability was named CVE-2024-49604 . The attack can be initiated remotely. There is no exploit available.
CVE-2024-49604
Authentication Bypass Using an Alternate Path or Channel vulnerability in Najeeb Ahmad Simple User Registration allows Authentication Bypass.This issue affects Simple User Registration: from n/a through...
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI