CVE-2024-9988
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Summary
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due to missing validation on the user being supplied in the 'crypto_connect_ajax_process::register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
Impact
This vulnerability allows unauthenticated attackers to bypass authentication and log in as any existing user on the site, including administrators. The impact is severe, as it can lead to complete compromise of the WordPress site. Attackers could potentially: 1. Gain administrative access to the WordPress dashboard 2. Modify or delete website content 3. Install malicious plugins or themes 4. Access and exfiltrate sensitive user data 5. Use the compromised site for further attacks or to host malicious content The CVSS v3.1 base score is 9.8 (Critical), with high impacts on confidentiality, integrity, and availability. The attack vector is network-based, requires no user interaction, and has low attack complexity, making it relatively easy for attackers to exploit.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects versions up to and including 2.15 of the Crypto plugin for WordPress, it's likely that a patched version may be available or in development. The security team should immediately check for updates to the Crypto plugin and apply them if available.
Mitigation
1. Update the Crypto plugin for WordPress to a version newer than 2.15 if available. 2. If an update is not available, consider temporarily disabling the Crypto plugin until a patch is released. 3. Implement strong access controls and use the principle of least privilege for WordPress user accounts. 4. Use a Web Application Firewall (WAF) configured to detect and block authentication bypass attempts. 5. Monitor WordPress installations for any suspicious login activities, especially those related to administrative accounts. 6. Implement two-factor authentication for all WordPress user accounts, especially administrative ones. 7. Regularly audit user accounts and remove any unnecessary or outdated accounts. 8. Keep WordPress core, all themes, and other plugins up to date. 9. Consider using a security plugin that can help detect and prevent unauthorized access attempts. 10. Backup your WordPress site regularly to enable quick recovery in case of a successful attack.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
Detection for the vulnerability has been added to Qualys (152340)
Feedly found the first article mentioning CVE-2024-9988. See article
Feedly estimated the CVSS score as MEDIUM
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-9988
A CVSS base score of 9.8 has been assigned.
CVE-2024-9988 is a critical authentication bypass vulnerability in the Crypto plugin for WordPress, affecting versions up to 2.15, with a CVSS score of 9.8, allowing unauthenticated attackers to log in as any existing user, including administrators. Currently, there is no evidence of exploitation in the wild or public proof-of-concept exploits, but mitigations include updating the plugin, implementing strong access controls, and using a Web Application Firewall. Detection for this vulnerability has been added to Qualys, and while a specific patch is not mentioned, users are advised to check for updates. See article
EPSS Score was set to: 0.09% (Percentile: 40%)