CVE-2024-3729 Vulnerability Details

  /     /     /  

CVE-2024-3729 Metadata Quick Info

CVE Published: 02/05/2024 | CVE Updated: 01/08/2024 | CVE Year: 2024
Source: Wordfence | Vendor: shabti | Product: Frontend Admin by DynamiApps
Status : PUBLISHED

CVE-2024-3729 Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the \'fea_encrypt\' function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms, which can be used to add and edit administrator user for privilege escalation, or to automatically log in users for authentication bypass, or manipulate the post processing form that can be used to inject arbitrary web scripts. This can only be exploited if the \'openssl\' php extension is not loaded on the server.

Metrics

CVSS Version: 3.1 | Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID:
CWE Name: CWE-636 Not Failing Securely ( Failing Open )
Source: shabti

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description: