प्लेटफ़ॉर्म
wordpress
घटक
sign-in-with-google
में ठीक किया गया
1.8.1
CVE-2024-11015 is an authentication bypass vulnerability affecting the Sign In With Google plugin for WordPress versions up to 1.8.0. An attacker can exploit this flaw to gain unauthorized access to a user account, potentially including the site administrator. This vulnerability stems from inadequate null value checks during the authentication process. Updating to a patched version is crucial to remediate this risk.
The impact of this vulnerability is severe. A successful exploit allows an attacker to impersonate any user who has previously authenticated with Google OAuth. This includes the site administrator, granting the attacker full control over the WordPress site. They could modify content, install malicious plugins, steal sensitive data, or even completely compromise the server. The ease of exploitation, combined with the plugin's popularity, makes this a high-priority risk. This bypass circumvents standard authentication mechanisms, making it particularly dangerous.
This vulnerability was publicly disclosed on December 12, 2024. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the plugin's widespread use make it a likely target. The CVSS score of 9.8 (CRITICAL) reflects the high severity and potential impact. No KEV listing is currently available.
WordPress sites utilizing the Sign In With Google plugin, particularly those running versions prior to 1.8.0, are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise on one site could potentially impact others. Sites relying on Google OAuth for user authentication are also at increased risk.
• wordpress / composer / npm:
wp plugin list | grep "Sign In With Google"• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep "Sign In With Google"• wordpress / composer / npm:
wp plugin describe signinwithgoogledisclosure
एक्सप्लॉइट स्थिति
EPSS
0.14% (35% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to immediately update the Sign In With Google plugin to a version greater than 1.8.0. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent unauthorized access. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious OAuth requests could provide an additional layer of defense. Regularly review user accounts and permissions for any signs of unauthorized activity.
Actualice el plugin Sign In With Google a la versión más reciente. La versión 1.8.1 o superior corrige esta vulnerabilidad de omisión de autenticación.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-11015 is a critical vulnerability in the Sign In With Google WordPress plugin allowing attackers to bypass authentication and log in as existing Google OAuth users.
You are affected if you are using the Sign In With Google plugin in WordPress versions 1.8.0 or earlier. Immediately check your plugin version and update if necessary.
The fix is to update the Sign In With Google plugin to a version greater than 1.8.0. If an upgrade is not immediately possible, temporarily disable the plugin.
While no confirmed active exploitation campaigns are currently known, the vulnerability's severity and ease of exploitation make it a likely target. Monitor your site closely.
Refer to the plugin developer's website and WordPress.org plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।