CVE-2024-52475 - Vulnerability Details - OpenCVE

Authentication Bypass Using an Alternate Path or Channel vulnerability in Automation Web Platform Wawp allows Authentication Bypass.This issue affects Wawp: from n/a before 3.0.18.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.46626.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Automation Web Platform	Wawp

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

Update the WordPress Wawp plugin to the latest available version (at least 3.0.18).

Workaround

No workaround given by the vendor.

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/automation-web-platform/vulnerability/wordpress-wawp-plugin-3-0-18-account-takeover-vulnerability?_s_id=cve

History

Fri, 29 Nov 2024 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Automation Web Platform Automation Web Platform wawp
CPEs		cpe:2.3:a:automation_web_platform:wawp::::::::
Vendors & Products		Automation Web Platform Automation Web Platform wawp
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 Nov 2024 10:45:00 +0000

Type	Values Removed	Values Added
Description		Authentication Bypass Using an Alternate Path or Channel vulnerability in Automation Web Platform Wawp allows Authentication Bypass.This issue affects Wawp: from n/a before 3.0.18.
Title		WordPress Wawp plugin < 3.0.18 - Account Takeover vulnerability
Weaknesses		CWE-288
References		https://patchstack.com/database/wordpress/plugin/automation-web-platform/vulnerability/wordpress-wawp-plugin-3-0-18-account-takeover-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2024-11-28T10:34:02.078Z

Updated: 2024-11-29T18:55:14.119Z

Reserved: 2024-11-11T06:40:17.791Z

Link: CVE-2024-52475

Vulnrichment

Updated: 2024-11-29T18:55:08.083Z

NVD

Status : Received

Published: 2024-11-28T11:15:49.230

Modified: 2024-11-28T11:15:49.230

Link: CVE-2024-52475

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52475", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2024-11-11T06:40:17.791Z", "datePublished": "2024-11-28T10:34:02.078Z", "dateUpdated": "2024-11-29T18:55:14.119Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "automation-web-platform", "product": "Wawp", "vendor": "Automation Web Platform", "versions": [{"changes": [{"at": "3.0.18", "status": "unaffected"}], "lessThan": "3.0.18", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "stealthcopter (Patchstack Alliance)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Automation Web Platform Wawp allows Authentication Bypass.<p>This issue affects Wawp: from n/a before 3.0.18.</p>"}], "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Automation Web Platform Wawp allows Authentication Bypass.This issue affects Wawp: from n/a before 3.0.18."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2024-11-28T10:34:02.078Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/plugin/automation-web-platform/vulnerability/wordpress-wawp-plugin-3-0-18-account-takeover-vulnerability?_s_id=cve"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update the WordPress Wawp plugin to the latest available version (at least 3.0.18)."}], "value": "Update the WordPress Wawp plugin to the latest available version (at least 3.0.18)."}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress Wawp plugin < 3.0.18 - Account Takeover vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "automation_web_platform", "product": "wawp", "cpes": ["cpe:2.3:a:automation_web_platform:wawp:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.0.18", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-29T18:53:48.830864Z", "id": "CVE-2024-52475", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-29T18:55:14.119Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-29T18:53:48.830864Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:automation_web_platform:wawp:*:*:*:*:*:*:*:*"], "vendor": "automation_web_platform", "product": "wawp", "versions": [{"status": "affected", "version": "0", "lessThan": "3.0.18", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-29T18:55:08.083Z"}}], "cna": {"title": "WordPress Wawp plugin < 3.0.18 - Account Takeover vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "stealthcopter (Patchstack Alliance)"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Automation Web Platform", "product": "Wawp", "versions": [{"status": "affected", "changes": [{"at": "3.0.18", "status": "unaffected"}], "version": "n/a", "lessThan": "3.0.18", "versionType": "custom"}], "packageName": "automation-web-platform", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Wawp plugin to the latest available version (at least 3.0.18).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Wawp plugin to the latest available version (at least 3.0.18).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/automation-web-platform/vulnerability/wordpress-wawp-plugin-3-0-18-account-takeover-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Automation Web Platform Wawp allows Authentication Bypass.This issue affects Wawp: from n/a before 3.0.18.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Automation Web Platform Wawp allows Authentication Bypass.<p>This issue affects Wawp: from n/a before 3.0.18.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2024-11-28T10:34:02.078Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52475", "state": "PUBLISHED", "dateUpdated": "2024-11-29T18:55:14.119Z", "dateReserved": "2024-11-11T06:40:17.791Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2024-11-28T10:34:02.078Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}