CVE-2024-9215

Authorization Bypass Through User-Controlled Key (CWE-639)

Published: Oct 17, 2024 / Updated: 34d ago

010
CVSS 8.8EPSS 0.06%High
CVE info copied to clipboard

Summary

The PublishPress Authors plugin for WordPress contains a vulnerability in the Co-Authors, Multiple Authors, and Guest Authors features within an Author Box. This vulnerability is present in all versions up to and including 4.7.1. The issue stems from an Insecure Direct Object Reference (IDOR) in the action_edited_author() function, which can lead to Privilege Escalation or Account Takeover. The root cause is missing validation on the user-controlled 'authors-user_id' key.

Impact

This vulnerability allows authenticated attackers with Author-level access or higher to update the email addresses of arbitrary user accounts, including administrators. By changing an administrator's email address, an attacker can then initiate a password reset, effectively taking over the account. This can lead to complete compromise of the WordPress site, as an attacker could gain full administrative access.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects "all versions up to, and including, 4.7.1" of the PublishPress Authors plugin, it is likely that a patched version (presumably 4.7.2 or higher) has been or will be released to address this issue.

Mitigation

1. Update the PublishPress Authors plugin to a version newer than 4.7.1 as soon as a patch becomes available. 2. Implement strong access controls and regularly audit user permissions to ensure the principle of least privilege. 3. Monitor and log changes to user account details, especially email address modifications. 4. Consider temporarily disabling the PublishPress Authors plugin if an immediate update is not possible. 5. Implement additional security measures such as two-factor authentication for administrative accounts to mitigate the risk of account takeover.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9215

Oct 17, 2024 at 2:15 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 17, 2024 at 2:15 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9215. See article

Oct 17, 2024 at 2:15 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 17, 2024 at 2:15 AM
Threat Intelligence Report

CVE-2024-9215 is a high-severity vulnerability (CVSS score: 8.8) in the PublishPress Authors plugin for WordPress, affecting all versions up to 4.7.1, allowing authenticated attackers with Author-level access to exploit insecure direct object references to escalate privileges and potentially take over accounts, including administrators. The vulnerability arises from missing validation on the 'authors-user_id' key, enabling attackers to change email addresses and reset passwords. The article does not provide information on exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts. See article

Oct 17, 2024 at 2:31 AM
EPSS

EPSS Score was set to: 0.06% (Percentile: 24.2%)

Oct 17, 2024 at 10:04 AM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

References

CVE-2024-9215 - WordPress PublishPress Authors Authentication Bypass
CVE ID : CVE-2024-9215 Published : Oct. 17, 2024, 2:15 a.m. 15 minutes ago Description : The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain access. Severity: 8.8

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024)
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
High - CVE-2024-9215 - The Co-Authors, Multiple Authors and Guest...
The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account...
CVE-2024-9215 | publishpress Co-Authors, Multiple Authors and Guest Authors in an Author Box Plugin action_edited_author authorization
A vulnerability has been found in publishpress Co-Authors, Multiple Authors and Guest Authors in an Author Box Plugin up to 4.7.1 on WordPress and classified as critical . Affected by this vulnerability is the function action_edited_author . The manipulation leads to authorization bypass. This vulnerability is known as CVE-2024-9215 . The attack can be launched remotely. There is no exploit available.
Authors Plugin Vulnerable to Privilege Escalation/Account Takeover
PublisHPress - HIGH - CVE-2024-9215 The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain access.
CVE-2024-9215
The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain...
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI