CVE-2024-9930
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Summary
The Extensions by HocWP Team plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2.3.2. This vulnerability is present in the Account extension and is caused by missing validation on the user being supplied in the 'verify_email' action. As a result, unauthenticated attackers can potentially log in as any existing user on the site, including administrators.
Impact
This vulnerability has a severe impact on the security of affected WordPress sites. Attackers can bypass authentication and gain unauthorized access to user accounts, including those with administrative privileges. This could lead to: 1. Complete compromise of the WordPress site 2. Unauthorized access to sensitive information 3. Modification or deletion of site content 4. Installation of malicious plugins or themes 5. Potential lateral movement to other connected systems or databases The CVSS v3.1 base score of 9.8 (Critical) indicates the highest severity level, with high impact on confidentiality, integrity, and availability.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects versions up to and including 0.2.3.2 of the Extensions by HocWP Team plugin, it is likely that an update addressing this issue has been or will be released. Site administrators should check for and apply the latest version of the plugin as soon as it becomes available.
Mitigation
1. Immediately update the Extensions by HocWP Team plugin to a version newer than 0.2.3.2 if available. 2. If an update is not available, consider disabling or removing the plugin until a patch is released. 3. Implement strong access controls and monitor for any suspicious login activities. 4. Use Web Application Firewalls (WAF) to help filter and block potential exploit attempts. 5. Regularly audit user accounts and permissions, especially those with administrative access. 6. Keep WordPress core, all themes, and other plugins up-to-date. 7. Implement multi-factor authentication for all user accounts, especially administrative ones. 8. Conduct a thorough security audit of the WordPress installation to identify any potential compromises.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
Feedly found the first article mentioning CVE-2024-9930. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-9930
A CVSS base score of 9.8 has been assigned.
EPSS Score was set to: 0.09% (Percentile: 39.9%)
CVE-2024-9930 is a critical authentication bypass vulnerability in the Extensions by HocWP Team plugin for WordPress, affecting versions up to 0.2.3.2, with a CVSS score of 9.8. Currently, there is no evidence of exploitation in the wild or public proof-of-concept exploits, but site administrators are advised to update the plugin immediately or consider disabling it until a patch is released. Mitigations include implementing strong access controls, using Web Application Firewalls, and conducting security audits to prevent unauthorized access. See article