CVE-2024-9289

The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email.
Configurations

Configuration 1 (hide)

cpe:2.3:a:redefiningtheweb:affiliate_pro:*:*:*:*:*:wordpress:*:*

History

07 Oct 2024, 18:25

Type Values Removed Values Added
CPE cpe:2.3:a:redefiningtheweb:affiliate_pro:*:*:*:*:*:wordpress:*:*
References () https://codecanyon.net/item/wordpress-woocommerce-affiliate-program/23580333 - () https://codecanyon.net/item/wordpress-woocommerce-affiliate-program/23580333 - Product, Release Notes
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/ed19835f-2718-41d8-95af-47c8b9589529?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/ed19835f-2718-41d8-95af-47c8b9589529?source=cve - Third Party Advisory
CWE CWE-306
First Time Redefiningtheweb affiliate Pro
Redefiningtheweb

04 Oct 2024, 13:51

Type Values Removed Values Added
Summary
  • (es) El complemento WordPress & WooCommerce Affiliate Program para WordPress es vulnerable a la omisión de autenticación en todas las versiones hasta la 8.4.1 incluida. Esto se debe a que la función rtwwwap_login_request_callback() no valida correctamente la identidad de un usuario antes de autenticarlo en el sitio. Esto hace posible que atacantes no autenticados inicien sesión como cualquier usuario, incluidos los administradores, siempre que tengan acceso al correo electrónico del administrador.

01 Oct 2024, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-01 09:15

Updated : 2024-10-07 18:25


NVD link : CVE-2024-9289

Mitre link : CVE-2024-9289

CVE.ORG link : CVE-2024-9289


JSON object : View

Products Affected

redefiningtheweb

  • affiliate_pro
CWE
CWE-306

Missing Authentication for Critical Function

CWE-288

Authentication Bypass Using an Alternate Path or Channel