CVE-2024-7781

The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vulnerability was partially patched in version 4.7.5, and fully patched in version 4.7.8.
Configurations

Configuration 1 (hide)

cpe:2.3:a:artbees:jupiter_x_core:*:*:*:*:*:wordpress:*:*

History

02 Oct 2024, 16:21

Type Values Removed Values Added
CPE cpe:2.3:a:artbees:jupiter_x_core:*:*:*:*:*:wordpress:*:*
First Time Artbees
Artbees jupiter X Core
CWE CWE-306
References () https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/social-login-handler/facebook.php - () https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/social-login-handler/facebook.php - Product
References () https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/social-login-handler/google.php - () https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/social-login-handler/google.php - Product
References () https://plugins.trac.wordpress.org/changeset/3153667/ - () https://plugins.trac.wordpress.org/changeset/3153667/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/efd279c2-9e95-45bd-9494-fb53a6333c65?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/efd279c2-9e95-45bd-9494-fb53a6333c65?source=cve - Third Party Advisory
CVSS v2 : unknown
v3 : 8.1
v2 : unknown
v3 : 9.8

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) El complemento Jupiter X Core para WordPress es vulnerable a la omisión de la autenticación en todas las versiones hasta la 4.7.5 incluida. Esto se debe a una autenticación incorrecta a través del widget de inicio de sesión social. Esto permite que atacantes no autenticados inicien sesión como el primer usuario que haya iniciado sesión con una cuenta de red social, incluidas las cuentas de administrador. Los atacantes pueden explotar la vulnerabilidad incluso si el elemento de inicio de sesión social se ha deshabilitado, siempre que se haya habilitado y utilizado previamente. La vulnerabilidad se solucionó parcialmente en la versión 4.7.5 y completamente en la versión 4.7.8.

26 Sep 2024, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-26 05:15

Updated : 2024-10-02 16:21


NVD link : CVE-2024-7781

Mitre link : CVE-2024-7781

CVE.ORG link : CVE-2024-7781


JSON object : View

Products Affected

artbees

  • jupiter_x_core
CWE
CWE-306

Missing Authentication for Critical Function

CWE-288

Authentication Bypass Using an Alternate Path or Channel