平台
wordpress
组件
biagiotti-membership
修复版本
1.0.3
CVE-2024-12287 is an authentication bypass vulnerability affecting the Biagiotti Membership plugin for WordPress. This flaw allows unauthenticated attackers to potentially log in as other users, including administrators, by exploiting inadequate user identity verification. The vulnerability impacts versions up to and including 1.0.2. A patch is available, requiring users to update their plugin.
The primary impact of this vulnerability is unauthorized access to WordPress accounts. An attacker who successfully exploits this bypass can gain full control over the affected WordPress site by logging in as an administrator. This could lead to data breaches, website defacement, malware injection, and other malicious activities. The ability to impersonate administrators poses a significant risk, as attackers can modify site content, install malicious plugins, and compromise user data. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale impact.
This vulnerability was publicly disclosed on December 18, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. No Proof-of-Concept (PoC) code has been publicly released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Biagiotti Membership plugin, particularly those running versions prior to 1.0.2, are at significant risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others. Sites with weak password policies or lacking multi-factor authentication are especially vulnerable.
• wordpress / composer / npm:
wp plugin list | grep biagiotti-membership• wordpress / composer / npm:
wp plugin update biagiotti-membership --all• wordpress / composer / npm:
grep -r 'if ( ! is_user_logged_in() )' /var/www/html/wp-content/plugins/biagiotti-membership/*• generic web: Check WordPress plugin directory for updated version.
disclosure
漏洞利用状态
EPSS
0.26% (50% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately update the Biagiotti Membership plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to sensitive areas of the WordPress site. Implement strong password policies and enable multi-factor authentication (MFA) for all administrator accounts to reduce the risk of unauthorized access. Regularly review user accounts and permissions to identify and remove any suspicious activity. After upgrading, confirm the fix by attempting to access the plugin's administrative interface without proper authentication.
将 Biagiotti Membership 插件更新到最新可用版本。该漏洞允许绕过身份验证,因此更新以避免未经授权的访问至关重要。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-12287 is a critical vulnerability in the Biagiotti Membership WordPress plugin allowing attackers to bypass authentication and potentially log in as administrators.
Yes, if you are using Biagiotti Membership plugin versions 1.0.2 or earlier, you are affected by this authentication bypass vulnerability.
Update the Biagiotti Membership plugin to the latest version available to patch the authentication bypass vulnerability. Consider temporary restrictions if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are known, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the WordPress plugin directory and Biagiotti Membership's official website for updates and advisories regarding CVE-2024-12287.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。