CVE-2024-9104

Published Oct 16, 2024

Last updated a month ago

CVSS medium 5.6

Overview

Description
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.3. This is due to the improper empty value check and a missing default activated value check in the 'ultimate_ai_change_pass' function. This makes it possible for unauthenticated attackers to reset the password of the first user, whose account is not yet activated or the first user who activated their account, who are subscribers.
Source
security@wordfence.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
5.6
Impact score
3.4
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity
MEDIUM

Weaknesses

security@wordfence.com
CWE-703

Social media

Hype score
Not currently trending

  1. 馃毃 隆Atenci贸n a todos los administradores de WordPress! 馃毃 Se ha identificado una vulnerabilidad cr铆tica, CVE-2024-9104, en el plugin UltimateAI hasta su versi贸n 2.8.3, que permite a atacantes no autenticados eludir la autenticaci贸n y restablecer contrase帽as de usuarios inactivos

    @antu_tech

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References