CVE-2024-9302

Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

Published: Oct 25, 2024 / Updated: 25d ago

010
CVSS 9.8EPSS 0.06%Critical
CVE info copied to clipboard

Summary

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.3.7. This vulnerability is caused by insufficient controls in the verify_otp_forgot_password() and update_password() functions, which fail to prevent successful brute force attacks on the OTP used for password changes. Additionally, these functions do not adequately verify that password reset requests originate from authorized users. As a result, unauthenticated attackers can generate and brute force an OTP, enabling them to change the passwords of any user account, including administrators.

Impact

This vulnerability has a severe impact on the security of WordPress sites using the affected plugin. Attackers can potentially take over any user account, including those with administrative privileges. The consequences of such an attack could include: 1. Unauthorized access to the WordPress admin panel 2. Modification or deletion of website content 3. Installation of malicious plugins or themes 4. Access to sensitive user data or confidential information 5. Potential lateral movement to other connected systems or databases 6. Reputational damage to the affected website or organization The severity of this vulnerability is underscored by its CVSS v3.1 base score of 9.8 (Critical), with high impacts on confidentiality, integrity, and availability. The attack vector is network-based, requires no user interaction, and can be executed by unauthenticated attackers, making it particularly dangerous.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the information provided, a specific patch is not explicitly mentioned. However, since the vulnerability affects all versions up to and including 5.3.7 of the App Builder plugin, it is likely that a patched version higher than 5.3.7 may be available or forthcoming. The security team should urgently check for updates to the plugin and apply them as soon as they become available. A change in the plugin's code was recorded on 2024-11-05, which might indicate a potential fix, but this should be verified.

Mitigation

To mitigate the risks associated with this vulnerability, the security team should consider the following actions: 1. Update the App Builder plugin to a version higher than 5.3.7 if available. 2. If an update is not yet available, temporarily disable the App Builder plugin until a patch is released. 3. Implement additional security measures such as two-factor authentication for all user accounts, especially administrative accounts. 4. Monitor user account activities and password changes closely for any suspicious behavior. 5. Limit the use of password recovery features to only trusted networks or IP ranges if possible. 6. Regularly audit user accounts and remove unnecessary privileges or outdated accounts. 7. Educate users about the risks associated with password reset procedures and encourage the use of strong, unique passwords. 8. Consider implementing a Web Application Firewall (WAF) to help detect and block potential brute force attempts. 9. Regularly backup the WordPress site and ensure the backup process is working correctly. 10. Keep all other WordPress core files, themes, and plugins up to date to maintain overall security posture.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9302. See article

Oct 25, 2024 at 6:56 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 25, 2024 at 7:02 AM
CVE Assignment

NVD published the first details for CVE-2024-9302

Oct 25, 2024 at 7:15 AM
CVSS

A CVSS base score of 8.1 has been assigned.

Oct 25, 2024 at 7:20 AM / nvd
EPSS

EPSS Score was set to: 0.06% (Percentile: 28.1%)

Oct 26, 2024 at 9:53 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 5, 2024 at 5:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Appcheap/app_builder
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-50: Password Recovery Exploitation
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 21, 2024 to October 27, 2024)
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
Security Bulletin 30 Oct 2024 - Cyber Security Agency of Singapore
A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute ...
Vulnerability Summary for the Week of October 21, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Admin–Verbalize WP Unrestricted Upload of File with Dangerous Type vulnerability in Admin Verbalize WP Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through 1.0. 2024-10-23 10 CVE-2024-49668 audit@patchstack.com advancedcoding–Comments wpDiscuz The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. 2024-10-25 9.8 CVE-2024-9488 security@wordfence.com security@wordfence.com security@wordfence.com Alexander De Ridder–INK Official Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. 2024-10-23 9.9 CVE-2024-49669 audit@patchstack.com Amazon–Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets.
US-CERT Vulnerability Summary for the Week of October 21, 2024
Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Admin–Verbalize WP Unrestricted Upload of File with Dangerous Type vulnerability in Admin Verbalize WP Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through 1.0. 2024-10-23 10 CVE-2024-49668 [email protected] advancedcoding–Comments wpDiscuz The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. 2024-10-25 9.8 CVE-2024-9488 [email protected] [email protected] [email protected] Alexander De Ridder–INK Official Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. 2024-10-23 9.9 CVE-2024-49669 [email protected] Amazon–Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets.
Vulnerability Summary for the Week of October 21, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Admin--Verbalize WP Unrestricted Upload of File with Dangerous Type vulnerability in Admin Verbalize WP Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through 1.0. 2024-10-23 10 CVE-2024-49668 audit@patchstack.com advancedcoding--Comments wpDiscuz The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. 2024-10-25 9.8 CVE-2024-9488 security@wordfence.com security@wordfence.com security@wordfence.com Alexander De Ridder--INK Official Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. 2024-10-23 9.9 CVE-2024-49669 audit@patchstack.com Amazon--Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets.
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI