9.8
CVE-2024-8853
- EPSS 0.65%
- Veröffentlicht 20.09.2024 08:15:11
- Zuletzt bearbeitet 25.09.2024 17:49:25
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginWebo-facto <= 1.40 - Unauthenticated Privilege Escalation
Webo-facto <= 1.40 - Unauthenticated Privilege Escalation
The Webo-facto plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.40 due to insufficient restriction on the 'doSsoAuthentification' function. This makes it possible for unauthenticated attackers to make themselves administrators by registering with a username that contains '-wfuser'.
Mögliche Gegenmaßnahme
Webo-facto: Update to version 1.41, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Medialibs ≫ Webo-facto SwPlatformwordpress Version < 1.41
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Webo-facto
Version
*-1.40
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.65% | 0.461 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
https://plugins.trac.wordpress.org/browser/webo-facto-connector/tags/1.40/WeboFacto/Sso.php#L78
https://plugins.trac.wordpress.org/changeset/3153062/webo-facto-connector
https://www.wordfence.com/threat-intel/vulnerabilities/id/c1280ceb-9ce8-47fc-8fd3-6af80015dea9?source=cve
https://www.wordfence.com/threat-intel/vulnerabilities/id/c1280ceb-9ce8-47fc-8fd3-6af80015dea9