The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
History

Wed, 06 Nov 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Gvectors
Gvectors wpdiscuz
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
Vendors & Products Gvectors
Gvectors wpdiscuz

Fri, 25 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 25 Oct 2024 05:45:00 +0000

Type Values Removed Values Added
Description The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
Title Comments – wpDiscuz <= 7.6.24 - Authentication Bypass
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-10-25T05:35:29.077Z

Updated: 2024-10-25T20:12:18.574Z

Reserved: 2024-10-03T17:43:55.130Z

Link: CVE-2024-9488

cve-icon Vulnrichment

Updated: 2024-10-25T20:12:04.162Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-25T06:15:13.727

Modified: 2024-11-06T14:57:04.457

Link: CVE-2024-9488

cve-icon Redhat

No data.