// For flags

CVE-2024-49328

WordPress WP REST API FNS Plugin plugin <= 1.0.0 - Account Takeover vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Authentication Bypass Using an Alternate Path or Channel vulnerability in Vivek Tamrakar WP REST API FNS allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through 1.0.0.

The WP REST API FNS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to gain administrator privileges.

*Credits: stealthcopter (Patchstack Alliance)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-10-14 CVE Reserved
  • 2024-10-17 CVE Published
  • 2024-10-22 CVE Updated
  • 2024-10-24 EPSS Updated
  • 2024-11-06 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-288: Authentication Bypass Using an Alternate Path or Channel
  • CWE-862: Missing Authorization
CAPEC
  • CAPEC-115: Authentication Bypass
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Rest Api Fns
Search vendor "Rest Api Fns"
 Rest Api Fns
Search vendor "Rest Api Fns" for product "Rest Api Fns"
 >= 0.0.0 <= 1.0.0
Search vendor "Rest Api Fns" for product "Rest Api Fns" and version " >= 0.0.0 <= 1.0.0"
en
Affected