CVE-2024-9488 (CVSS 9.8): Authentication Bypass Flaw in wpDiscuz Plugin, Over 80,000 Sites at Risk
A critical authentication bypass vulnerability has been discovered in wpDiscuz, a widely used WordPress plugin with over 80,000 active installations. This vulnerability, tracked as CVE-2024-9488 and assigned a CVSSv3 score of 9.8, could allow unauthenticated attackers to hijack user accounts, including those with administrative privileges.
wpDiscuz, renowned for its interactive commenting features and user engagement tools, has become a staple for many WordPress websites. However, this newly discovered flaw casts a shadow over its popularity. The vulnerability stems from insufficient verification of user identities during social login processes. Attackers who can obtain a user’s email address and exploit this weakness can potentially gain unauthorized access to their account.
The security implications are serious: an attacker who exploits CVE-2024-9488 could gain full access to the site’s admin functions, making it possible to alter content, install malicious plugins, or even lock out legitimate users. wpDiscuz’s engagement-enhancing features may suddenly become a vehicle for data theft, content manipulation, and other forms of cybercrime.
Urgent action is required for all websites utilizing wpDiscuz. The developers have addressed this vulnerability in version 7.6.25. Website administrators are strongly urged to update to this version immediately.
In addition to updating the plugin, website owners should consider:
- Password Review: Encourage users to change their passwords, especially if they use social logins.
- Two-Factor Authentication: Implement two-factor authentication to add an extra layer of security to user accounts.
- Regular Security Audits: Conduct regular security audits and vulnerability scans to identify and address potential weaknesses.