The Sign In With Google plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.8.0. This is due to the 'authenticate_user' user function not implementing sufficient null value checks when setting the access token and user information. This makes it possible for unauthenticated attackers to log in as the first user who has signed in using Google OAuth, which could be the site administrator.
History

Thu, 12 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 12 Dec 2024 03:45:00 +0000

Type Values Removed Values Added
Description The Sign In With Google plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.8.0. This is due to the 'authenticate_user' user function not implementing sufficient null value checks when setting the access token and user information. This makes it possible for unauthenticated attackers to log in as the first user who has signed in using Google OAuth, which could be the site administrator.
Title Sign In With Google <= 1.8.0 - Authentication Bypass in authenticate_user
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-12-12T03:23:08.908Z

Updated: 2024-12-12T16:27:37.738Z

Reserved: 2024-11-08T03:24:32.104Z

Link: CVE-2024-11015

cve-icon Vulnrichment

Updated: 2024-12-12T16:26:39.277Z

cve-icon NVD

Status : Received

Published: 2024-12-12T04:15:04.797

Modified: 2024-12-12T04:15:04.797

Link: CVE-2024-11015

cve-icon Redhat

No data.