Vulnerabilities (CVE)

Filtered by CWE-288
Total 103 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-9988 1 Odude 1 Crypto Tool 2024-11-07 N/A 9.8 CRITICAL
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due to missing validation on the user being supplied in the 'crypto_connect_ajax_process::register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
CVE-2024-49675 1 Vitaliibryl 1 Switch User 2024-11-06 N/A 8.8 HIGH
Authentication Bypass Using an Alternate Path or Channel vulnerability in Vitalii Bryl iBryl Switch User allows Authentication Bypass.This issue affects iBryl Switch User: from n/a through 1.0.1.
CVE-2024-10081 2024-11-06 N/A 10.0 CRITICAL
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. All endpoints, apart from the /Authentication is affected by the vulnerability. This issue affects CodeChecker: through 6.24.1.
CVE-2024-9488 1 Gvectors 1 Wpdiscuz 2024-11-06 N/A 9.8 CRITICAL
The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
CVE-2024-47406 2 Sharp, Toshibatec 640 Bp-30c25, Bp-30c25 Firmware, Bp-30c25t and 637 more 2024-11-05 N/A 9.8 CRITICAL
Sharp and Toshiba Tec MFPs improperly process HTTP authentication requests, resulting in an authentication bypass vulnerability.
CVE-2024-50503 2024-11-01 N/A 9.8 CRITICAL
Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck Oñate User Toolkit allows Authentication Bypass.This issue affects User Toolkit: from n/a through 1.2.3.
CVE-2024-50488 1 Priyabratasarkar 1 Token Login 2024-10-31 N/A 8.8 HIGH
Authentication Bypass Using an Alternate Path or Channel vulnerability in Priyabrata Sarkar Token Login allows Authentication Bypass.This issue affects Token Login: from n/a through 1.0.3.
CVE-2024-10438 1 Sun.net 1 Ehdr Ctms 2024-10-31 N/A 7.5 HIGH
The eHRD CTMS from Sunnet has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to bypass authentication by satisfying specific conditions in order to access certain functionalities.
CVE-2024-50477 1 Stacksmarket 1 Stacks Mobile App Builder 2024-10-31 N/A 9.8 CRITICAL
Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through 5.2.3.
CVE-2024-50487 1 Maantheme 1 Maanstore Api 2024-10-31 N/A 9.8 CRITICAL
Authentication Bypass Using an Alternate Path or Channel vulnerability in MaanTheme MaanStore API allows Authentication Bypass.This issue affects MaanStore API: from n/a through 1.0.1.
CVE-2024-50489 1 Realtyworkstation 1 Realty Workstation 2024-10-31 N/A 9.8 CRITICAL
Authentication Bypass Using an Alternate Path or Channel vulnerability in Realty Workstation allows Authentication Bypass.This issue affects Realty Workstation: from n/a through 1.0.45.
CVE-2024-50486 1 Acnoo 1 Flutter Api 2024-10-29 N/A 9.8 CRITICAL
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through 1.0.5.
CVE-2024-9933 2024-10-28 N/A 9.8 CRITICAL
The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.6. This is due to the 'watchtower_ota_token' default value is empty, and the not empty check is missing in the 'Password_Less_Access::login' function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user.
CVE-2024-9501 2024-10-28 N/A 9.8 CRITICAL
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
CVE-2024-9930 2024-10-28 N/A 9.8 CRITICAL
The Extensions by HocWP Team plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2.3.2. This is due to missing validation on the user being supplied in the 'verify_email' action. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator. The vulnerability is in the Account extension.
CVE-2024-9890 2024-10-28 N/A 8.8 HIGH
The User Toolkit plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.3. This is due to an improper capability check in the 'switchUser' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.
CVE-2024-9931 2024-10-28 N/A 9.8 CRITICAL
The Wux Blog Editor plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.0. This is due to missing validation on the token being supplied during the autologin through the plugin. This makes it possible for unauthenticated attackers to log in to the first administrator user.
CVE-2024-10002 1 Roveridx 1 Rover Idx 2024-10-25 N/A 8.8 HIGH
The Rover IDX plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0.0.2905. This is due to insufficient validation and capability check on the 'rover_idx_refresh_social_callback' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in to administrator. The vulnerability is partially patched in version 3.0.0.2905 and fully patched in version 3.0.0.2906.
CVE-2024-49328 1 Vivektamrakar 1 Wp Rest Api Fns 2024-10-23 N/A 9.8 CRITICAL
Authentication Bypass Using an Alternate Path or Channel vulnerability in Vivek Tamrakar WP REST API FNS allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through 1.0.0.
CVE-2024-49604 1 Najeebmedia 1 Simple User Registration 2024-10-23 N/A 9.8 CRITICAL
Authentication Bypass Using an Alternate Path or Channel vulnerability in Najeeb Ahmad Simple User Registration allows Authentication Bypass.This issue affects Simple User Registration: from n/a through 5.5.