CVE-2024-9488

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

Published: Oct 25, 2024 / Updated: 25d ago

010
CVSS 9.8EPSS 0.06%Critical
CVE info copied to clipboard

Summary

The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

Impact

This vulnerability has a severe impact on the security of WordPress sites using the affected wpDiscuz plugin. Attackers can bypass authentication and gain unauthorized access to user accounts, including those with administrative privileges. This could lead to complete compromise of the WordPress site, allowing attackers to: 1. Access and modify sensitive information 2. Install malicious plugins or themes 3. Deface the website 4. Delete or manipulate content 5. Use the compromised site for further attacks or malicious activities The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), indicating its severe nature. The attack vector is network-based, requires no user interaction, and can be executed with low attack complexity, making it relatively easy for attackers to exploit.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects "all versions up to, and including, 7.6.24" of the wpDiscuz plugin, it is likely that a patched version higher than 7.6.24 has been or will be released to address this issue. Security teams should monitor for updates from the plugin developers and apply them as soon as they become available.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Temporarily disable the wpDiscuz plugin if it's not critical to your operations. 2. If the plugin must be used, disable social login functionality to prevent exploitation of the vulnerable authentication mechanism. 3. Implement strong access controls and monitoring for administrative accounts. 4. Regularly audit user accounts and permissions, especially those with elevated privileges. 5. Use Web Application Firewalls (WAF) or similar security tools to detect and block potential authentication bypass attempts. 6. Keep WordPress core, themes, and all plugins up to date. 7. Implement the principle of least privilege for all user accounts. 8. Enable and configure two-factor authentication for all user accounts, especially administrative ones. 9. Monitor for any suspicious activities or unauthorized access attempts on your WordPress sites.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9488. See article

Oct 25, 2024 at 5:44 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 25, 2024 at 5:46 AM
CVE Assignment

NVD published the first details for CVE-2024-9488

Oct 25, 2024 at 6:15 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 25, 2024 at 6:20 AM / nvd
EPSS

EPSS Score was set to: 0.06% (Percentile: 28.5%)

Oct 26, 2024 at 9:53 AM
Static CVE Timeline Graph

Affected Systems

Gvectors/wpdiscuz
+null more

Patches

plugins.trac.wordpress.org
+null more

Links to Mitre Att&cks

T1083: File and Directory Discovery
+null more

Attack Patterns

CAPEC-127: Directory Indexing
+null more

News

WordPress Vulnerability & Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress Vulnerability &amp; Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress Vulnerability &amp; Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 21, 2024 to October 27, 2024)
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
Vulnerability Summary for the Week of October 21, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Admin–Verbalize WP Unrestricted Upload of File with Dangerous Type vulnerability in Admin Verbalize WP Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through 1.0. 2024-10-23 10 CVE-2024-49668 audit@patchstack.com advancedcoding–Comments wpDiscuz The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. 2024-10-25 9.8 CVE-2024-9488 security@wordfence.com security@wordfence.com security@wordfence.com Alexander De Ridder–INK Official Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. 2024-10-23 9.9 CVE-2024-49669 audit@patchstack.com Amazon–Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets.
See 13 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI