CVE-2024-10924

216.73.216.233

· Published 15/11/2024 04:15 · Modified 20/11/2024 14:44

Labels: CVE-2024-10924 2024-11-15 CVE-2024-10924 CWE-288 CWE-306 [email protected]

Essential information

Published: 15/11/2024 04:15
Modified: 20/11/2024 14:44
Author: —
Creator: —
CVSS: 9.8 CRITICAL (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).

NVD status

Status: Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
really-simple-plugins / really simple security	`cpe:2.3:a:really-simple-plugins:really_simple_security:::::-:wordpress::`
really-simple-plugins / really simple security	`cpe:2.3:a:really-simple-plugins:really_simple_security:::::pro:wordpress::`
really-simple-plugins / really simple security	`cpe:2.3:a:really-simple-plugins:really_simple_security:::::pro_multisite:wordpress::`