Authentication Bypass Using an Alternate Path or Channel

CVE-2024-11028

High

9.8/10

Summary

The MultiManager WP – Manage All Your WordPress Sites Easily plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the user impersonation feature inappropriately determining the current user via user-supplied input. This makes it possible for unauthenticated attackers to generate an impersonation link that will allow them to log in as any existing user, such as an administrator. NOTE: The user impersonation feature was disabled in version 1.1.0 and re-enabled with a patch in version 1.1.2.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References

Advisory Timeline

Published Nov 13, 2024

Authentication Bypass Using an Alternate Path or Channel

CVE-2024-11028

Summary

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS