CVE-2024-10245
📋 TL;DR
The Relais 2FA plugin for WordPress has an authentication bypass vulnerability that allows unauthenticated attackers to log in as any existing user, including administrators, if they know the user's email address. This affects all WordPress sites using Relais 2FA plugin version 1.0 or earlier. The vulnerability stems from improper authentication checks in the plugin's AJAX handler function.
💻 Affected Systems
- Relais 2FA WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative access, install backdoors, steal sensitive data, deface the site, or use it for further attacks.
Likely Case
Attackers gain administrative access to compromise the WordPress site, install malicious plugins/themes, or steal user data.
If Mitigated
Limited impact if strong network controls, web application firewalls, and monitoring are in place to detect and block exploitation attempts.
🎯 Exploit Status
The vulnerability is simple to exploit with just HTTP requests. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/relais-2fa/trunk/relais.php?rev=2439540#L39
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Relais 2FA plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.1+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Relais 2FA Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate relais-2fa
Web Application Firewall Rule
allBlock access to the vulnerable AJAX endpoint
Block POST requests to /wp-admin/admin-ajax.php with action=rl_do_ajax
🧯 If You Can't Patch
- Disable the Relais 2FA plugin immediately
- Implement strict network access controls and monitor for authentication bypass attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Relais 2FA version 1.0 or earlierCheck Version:
wp plugin get relais-2fa --field=versionVerify Fix Applied:
Verify Relais 2FA plugin is updated to version 1.1 or later, or confirm plugin is deactivated📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts via admin-ajax.php
- Multiple failed login attempts followed by successful login from same IP
- POST requests to /wp-admin/admin-ajax.php with action=rl_do_ajax
Network Indicators:
- HTTP POST requests to WordPress admin-ajax.php endpoint with rl_do_ajax parameter
- Unusual spikes in admin-ajax.php traffic
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="rl_do_ajax"