9.8

CVE-2024-8853

EPSS 0.41%
Veröffentlicht 20.09.2024 08:15:11
Zuletzt bearbeitet 25.09.2024 17:49:25
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Webo-facto <= 1.40 - Unauthenticated Privilege Escalation

The Webo-facto plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.40 due to insufficient restriction on the 'doSsoAuthentification' function. This makes it possible for unauthenticated attackers to make themselves administrators by registering with a username that contains '-wfuser'.

Mögliche Gegenmaßnahme

Webo-facto: Update to version 1.41, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Webo-facto

Version *-1.40

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Medialibs ≫ Webo-facto SwPlatformwordpress Version < 1.41

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.41%	0.608

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://plugins.trac.wordpress.org/browser/webo-facto-connector/tags/1.40/WeboFacto/Sso.php#L78

Product

https://plugins.trac.wordpress.org/changeset/3153062/webo-facto-connector

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/c1280ceb-9ce8-47fc-8fd3-6af80015dea9?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/c1280ceb-9ce8-47fc-8fd3-6af80015dea9

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-8853

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8853

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8853

EUVD