CVE-2024-11349: AdForest <= 5.1.6 - Authentication Bypass

9.8 CVSS

Description

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the sb_login_user_with_otp_fun() function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators.

Classification

CVE ID: CVE-2024-11349

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

Affected Products

Vendor: scriptsbundle

Product: AdForest

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 40.72% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f374b3d1-820b-473f-8d2b-c3267e6d23d9?source=cve
https://themeforest.net/item/adforest-classified-wordpress-theme/19481695

Timeline

2024-12-29 00:30:24 UTC
CVE

AdForest <= 5.1.6 - Authentication Bypass