プラットフォーム
wordpress
コンポーネント
login-as-users
修正版
1.4.3
CVE-2024-43311 describes an Improper Privilege Management vulnerability within the Login As Users WordPress plugin. This flaw allows attackers to escalate privileges, potentially gaining unauthorized access to administrative functions and sensitive data. The vulnerability impacts versions of Login As Users up to and including 1.4.2, with a fix available in version 1.4.3.
The Improper Privilege Management vulnerability allows an attacker to bypass access controls and assume the privileges of other users, potentially including administrators. Successful exploitation could lead to complete compromise of a WordPress site, enabling attackers to modify content, install malicious plugins, steal user credentials, or deface the website. The impact is particularly severe given the plugin's function – allowing users to log in as others – which, when combined with privilege escalation, creates a highly exploitable scenario. This could be leveraged to gain access to sensitive data or perform actions on behalf of other users without authorization.
CVE-2024-43311 was publicly disclosed on August 19, 2024. As of this date, no public proof-of-concept exploits have been released. The vulnerability's severity (CVSS 9.8) indicates a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring.
WordPress websites utilizing the Login As Users plugin, particularly those running versions 1.4.2 or earlier, are at significant risk. Sites with weak user access controls or those that rely heavily on the Login As Users plugin for testing or debugging purposes are especially vulnerable.
• wordpress / composer / npm:
wp plugin list | grep "Login As Users"• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep "Login As Users"• wordpress / composer / npm:
wp plugin version Login As Usersdisclosure
エクスプロイト状況
EPSS
0.21% (44% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-43311 is to immediately upgrade the Login As Users plugin to version 1.4.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct workaround is unavailable, implementing strict user access controls and regularly auditing user permissions can help limit the potential damage if the vulnerability is exploited. Review WordPress user roles and permissions to ensure least privilege is enforced.
Actualice el plugin Login As Users a la última versión disponible. La vulnerabilidad de escalada de privilegios ha sido corregida en versiones posteriores a la 1.4.2. Consulte el registro de cambios del plugin para obtener más detalles sobre la corrección.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-43311 is a critical vulnerability in the Login As Users WordPress plugin that allows attackers to escalate privileges and gain unauthorized access.
Yes, if you are using Login As Users version 1.4.2 or earlier, you are affected by this vulnerability.
Upgrade the Login As Users plugin to version 1.4.3 or later to remediate the vulnerability. If immediate upgrade is not possible, disable the plugin.
As of August 19, 2024, no public exploits are known, but the high severity score suggests a potential for exploitation.
Refer to the Geek Code Lab website and WordPress plugin repository for the official advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。