CRITICAL🇵🇱 Wersja polska

CVE-2024-13375

CVSS 9.8v3.1pub. 2025-01-18upd. 2026-04-15

The Adifier System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.1.7. This is due to the plugin not properly validating a user's identity prior to updating their details like password through the adifier_recover() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

🤖 AI Analysis
How it works

The adifier_recover() function responsible for account recovery does not properly verify user identity before updating their data, particularly the password. The absence of this verification (CWE-620 — Unverified Password Change) means that any anonymous user can send a password change request for any chosen account without confirming any form of identity. After resetting the administrator's password, the attacker can log in to the compromised account and gain full access to the WordPress panel.

Impact

An attacker without any permissions can take over any account on the WordPress site, including the administrator account, giving them full control over the website — the ability to modify content, install malicious plugins, steal data, and further compromise the infrastructure.

Mitigation & patch

Update the Adifier System plugin to a version higher than 3.1.7. If no update is available, temporarily disable the plugin and consult with the manufacturer's references (ThemeForest / Wordfence) to obtain the current patch.

Who is affected

Adifier System plugin for WordPress — all versions up to and including 3.1.7

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassLPE
CWE
References