CVE-2024-12857

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number.
Configurations

Configuration 1 (hide)

cpe:2.3:a:scriptsbundle:adforest:*:*:*:*:*:wordpress:*:*

History

24 Jan 2025, 19:18

Type Values Removed Values Added
References () https://themeforest.net/item/adforest-classified-wordpress-theme/19481695 - () https://themeforest.net/item/adforest-classified-wordpress-theme/19481695 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff3b4f1-dd36-43d0-b472-55a940907437?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff3b4f1-dd36-43d0-b472-55a940907437?source=cve - Third Party Advisory
First Time Scriptsbundle
Scriptsbundle adforest
CPE cpe:2.3:a:scriptsbundle:adforest:*:*:*:*:*:wordpress:*:*
CWE CWE-306
Summary
  • (es) El tema AdForest para WordPress es vulnerable a la omisión de autenticación en todas las versiones hasta la 5.1.8 y incluida. Esto se debe a que el complemento no verifica correctamente la identidad de un usuario antes de iniciar sesión como ese usuario. Esto hace posible que atacantes no autenticados se autentiquen como cualquier usuario siempre que haya configurado el inicio de sesión OTP por número de teléfono.

22 Jan 2025, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-01-22 07:15

Updated : 2025-01-24 19:18


NVD link : CVE-2024-12857

Mitre link : CVE-2024-12857

CVE.ORG link : CVE-2024-12857


JSON object : View

Products Affected

scriptsbundle

  • adforest
CWE
CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-306

Missing Authentication for Critical Function