CVE-2024-9989
published 2024-10-29CVE-2024-9989: The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. This is due to a limited arbitrary method call…
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.22%
93.5th percentile
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. This is due to a limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| odude | crypto_tool | <= 2.15 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →A successful exploitation results in authentication cookies (wordpress_sec_ or wordpress_logged_in_) being set in the response to an unauthenticated request; monitor for Set-Cookie headers containing these values on admin-ajax.php responses. ↗
- →Identify vulnerable WordPress installations by checking for the presence of the Crypto plugin path in page source via Shodan or FOFA queries targeting 'wp-content/plugins/crypto'. ↗
- →The vulnerability is triggered via an arbitrary method call to 'crypto_connect_ajax_process::log_in' through the 'crypto_connect_ajax_process' AJAX action; alert on unauthenticated AJAX requests invoking this action. ↗
- ·The NVD advisory states the vulnerable version range is up to and including 2.18, while the Nuclei template targets versions up to and including 2.15. Ensure detection coverage accounts for the full range (<=2.18). ↗
- ·The Nuclei template uses a two-step flow: first confirming the plugin is present on the target, then sending the exploit request. Single-step detections (e.g., WAF rules) should account for the plugin presence check to reduce false positives. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Crypto <= 2.15 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-9989 [CRITICAL] Crypto <= 2.15 - Authentication Bypass
Crypto <= 2.15 - Authentication Bypass
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
Template:
id: CVE-2024-9989
info:
name: Crypto <= 2.15 - Authentication Bypass
author: s4e-io
severity: critical
description: |
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the
https://plugins.trac.wordpress.org/browser/crypto/tags/2.10/includes/class-crypto_connect_ajax_register.php#L138https://plugins.trac.wordpress.org/browser/crypto/tags/2.10/includes/class-crypto_connect_ajax_register.php#L33https://plugins.trac.wordpress.org/changeset/3189945/crypto#file3https://www.wordfence.com/threat-intel/vulnerabilities/id/e21bd924-1d96-4371-972a-5c99d67261cc?source=cve
2024-10-29
Published