CVE-2024-9820

Published: Oct 15, 2024Modified: Oct 19, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The WP 2FA with Telegram plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 3.0. This is due to the two-factor code being stored in a cookie, which makes it possible to bypass two-factor authentication.

Affected (1)

Products: Dueclic: Wp 2fa With Telegram

1 product

Wp 2fa With Telegram

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dueclic Wp 2fa With Telegram	Before 3.1

Related CWEs

Reliance on Cookies without Validation and Integrity Checking

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

Reliance on Cookies without Validation and Integrity Checking in a Security Decision

The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.

References (2)

https://plugins.trac.wordpress.org/browser/two-factor-login-telegram/tags/3.0/includes/class-wp-factor-telegram-plugin.php#L228

Source: security@wordfence.com

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/ccd73030-7185-4302-b3fd-29cbbe716e3e?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.