CVE-2024-9637

Authorization Bypass Through User-Controlled Key (CWE-639)

Published: Oct 26, 2024 / Updated: 24d ago

010
CVSS 8.8EPSS 0.05%High
CVE info copied to clipboard

Summary

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.10. This vulnerability is due to the plugin's failure to properly validate a user's identity before updating their details, such as email addresses. As a result, authenticated attackers with teacher-level access or higher can change the email addresses of arbitrary users, including administrators. This vulnerability can be leveraged to reset a user's password and gain unauthorized access to their account.

Impact

The impact of this vulnerability is severe. Attackers with teacher-level access or higher can escalate their privileges to administrator level, potentially gaining full control over the WordPress site. This could lead to: 1. Unauthorized access to sensitive information stored in the school management system. 2. Modification or deletion of critical data. 3. Installation of malicious plugins or themes. 4. Defacement of the website. 5. Use of the compromised site for further attacks or malicious activities. The CVSS v3.1 base score for this vulnerability is 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates a high severity vulnerability with network-based attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects "all versions up to, and including, 2.2.10" of the WPSchoolPress plugin, it is likely that a patched version (presumably 2.2.11 or higher) may be available or in development. The security team should check for updates to the WPSchoolPress plugin and apply them as soon as they become available.

Mitigation

While waiting for a patch, the following mitigation steps are recommended: 1. Temporarily disable the WPSchoolPress plugin if it's not critical for operations. 2. If the plugin must remain active, limit teacher-level access to only trusted users. 3. Implement additional authentication measures for changing user details, especially email addresses. 4. Regularly monitor and audit user account activities, particularly focusing on changes to email addresses and password resets. 5. Implement strong password policies and multi-factor authentication for all user accounts, especially administrator accounts. 6. Keep the WordPress core, all themes, and other plugins up-to-date. 7. Consider using a web application firewall (WAF) to help detect and block potential exploitation attempts. Given the high severity score (CVSS 8.8) and the potential for privilege escalation to administrator level, this vulnerability should be prioritized for immediate attention and remediation.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9637. See article

Oct 26, 2024 at 8:49 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 26, 2024 at 8:49 AM
CVE Assignment

NVD published the first details for CVE-2024-9637

Oct 26, 2024 at 9:15 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 26, 2024 at 9:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 20.3%)

Oct 27, 2024 at 10:25 AM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 21, 2024 to October 27, 2024)
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
Security Bulletin 30 Oct 2024 - Cyber Security Agency of Singapore
A vulnerability in the SSH subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to execute ...
Vulnerability Summary for the Week of October 21, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Admin–Verbalize WP Unrestricted Upload of File with Dangerous Type vulnerability in Admin Verbalize WP Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through 1.0. 2024-10-23 10 CVE-2024-49668 audit@patchstack.com advancedcoding–Comments wpDiscuz The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. 2024-10-25 9.8 CVE-2024-9488 security@wordfence.com security@wordfence.com security@wordfence.com Alexander De Ridder–INK Official Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. 2024-10-23 9.9 CVE-2024-49669 audit@patchstack.com Amazon–Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets.
US-CERT Vulnerability Summary for the Week of October 21, 2024
Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Admin–Verbalize WP Unrestricted Upload of File with Dangerous Type vulnerability in Admin Verbalize WP Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through 1.0. 2024-10-23 10 CVE-2024-49668 [email protected] advancedcoding–Comments wpDiscuz The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. 2024-10-25 9.8 CVE-2024-9488 [email protected] [email protected] [email protected] Alexander De Ridder–INK Official Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. 2024-10-23 9.9 CVE-2024-49669 [email protected] Amazon–Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets.
Vulnerability Summary for the Week of October 21, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Admin--Verbalize WP Unrestricted Upload of File with Dangerous Type vulnerability in Admin Verbalize WP Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through 1.0. 2024-10-23 10 CVE-2024-49668 audit@patchstack.com advancedcoding--Comments wpDiscuz The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. 2024-10-25 9.8 CVE-2024-9488 security@wordfence.com security@wordfence.com security@wordfence.com Alexander De Ridder--INK Official Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. 2024-10-23 9.9 CVE-2024-49669 audit@patchstack.com Amazon--Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets.
See 14 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI