CVE-2024-10924 Vulnerability Details

  /     /     /  

CVE-2024-10924 Metadata Quick Info

CVE Published: 15/11/2024 | CVE Updated: 19/11/2024 | CVE Year: 2024
Source: Wordfence | Vendor: Really Simple Plugins | Product: Really Simple Security Pro multisite
Status : PUBLISHED

---

CVE-2024-10924 Description

The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the \'check_login_and_get_user\' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).

Metrics

CVSS Version: 3.1 | Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-288
CWE Name: CWE-288 Authentication Bypass Using an Alternate Path or Channel
Source: Really Simple Plugins

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).