Plataforma
wordpress
Componente
login-as-users
Corrigido em
1.4.3
CVE-2024-43311 describes an Improper Privilege Management vulnerability within the Login As Users WordPress plugin. This flaw allows attackers to escalate privileges, potentially gaining unauthorized access to administrative functions and sensitive data. The vulnerability impacts versions of Login As Users up to and including 1.4.2, with a fix available in version 1.4.3.
The Improper Privilege Management vulnerability allows an attacker to bypass access controls and assume the privileges of other users, potentially including administrators. Successful exploitation could lead to complete compromise of a WordPress site, enabling attackers to modify content, install malicious plugins, steal user credentials, or deface the website. The impact is particularly severe given the plugin's function – allowing users to log in as others – which, when combined with privilege escalation, creates a highly exploitable scenario. This could be leveraged to gain access to sensitive data or perform actions on behalf of other users without authorization.
CVE-2024-43311 was publicly disclosed on August 19, 2024. As of this date, no public proof-of-concept exploits have been released. The vulnerability's severity (CVSS 9.8) indicates a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog, but its critical severity warrants close monitoring.
WordPress websites utilizing the Login As Users plugin, particularly those running versions 1.4.2 or earlier, are at significant risk. Sites with weak user access controls or those that rely heavily on the Login As Users plugin for testing or debugging purposes are especially vulnerable.
• wordpress / composer / npm:
wp plugin list | grep "Login As Users"• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep "Login As Users"• wordpress / composer / npm:
wp plugin version Login As Usersdisclosure
Status do Exploit
EPSS
0.21% (percentil 44%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-43311 is to immediately upgrade the Login As Users plugin to version 1.4.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct workaround is unavailable, implementing strict user access controls and regularly auditing user permissions can help limit the potential damage if the vulnerability is exploited. Review WordPress user roles and permissions to ensure least privilege is enforced.
Actualice el plugin Login As Users a la última versión disponible. La vulnerabilidad de escalada de privilegios ha sido corregida en versiones posteriores a la 1.4.2. Consulte el registro de cambios del plugin para obtener más detalles sobre la corrección.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-43311 is a critical vulnerability in the Login As Users WordPress plugin that allows attackers to escalate privileges and gain unauthorized access.
Yes, if you are using Login As Users version 1.4.2 or earlier, you are affected by this vulnerability.
Upgrade the Login As Users plugin to version 1.4.3 or later to remediate the vulnerability. If immediate upgrade is not possible, disable the plugin.
As of August 19, 2024, no public exploits are known, but the high severity score suggests a potential for exploitation.
Refer to the Geek Code Lab website and WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.