CRITICAL🇵🇱 Wersja polska

CVE-2024-9488

CVSS 9.8v3.1pub. 2024-10-25upd. 2024-11-06

The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

🤖 AI Analysis
How it works

The vulnerability results from insufficient verification of user identity returned by a social login token. An attacker who knows a given user's email address and provided that user does not already have an account linked to that social service can exploit this mechanism to log in to the victim's account. Token verification does not properly check the connection between the identity returned by the provider and the actual account on the WordPress site.

Impact

An attacker can take complete control over any user account on the website, including administrator accounts, enabling unauthorized access to the management panel, content modification, installation of malicious software, or complete takeover of the WordPress service.

Mitigation & patch

Update the wpDiscuz plugin to a version higher than 7.6.24, in which the fix was introduced according to the change available in the plugin repository (changeset 3164486). It is also recommended to conduct an audit of access logs to detect any potential unauthorized login attempts.

Who is affected

Comments – wpDiscuz plugin (publisher: Gvectors) for WordPress in all versions up to and including 7.6.24

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gvectors Wpdiscuz

    APP
    Gvectors
    < 7.6.25
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-22193CRITICAL9.2PL ✓ten sam produkt

SQL Injection w wtyczce WordPress wpDiscuz (getAllSubscriptions)

CVE-2020-24186CRITICAL10.0ten sam produkt

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, ...

CVE-2020-13640CRITICAL9.8ten sam produkt

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers ...

CVE-2026-22182HIGH8.7ten sam produkt

wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users...

CVE-2026-22192HIGH8.8ten sam produkt

Voltronic Power SNMP Web Pro version 1.1 contains an authentication bypass vulnerability that allows unauthent...