Login Sign Up

CVE-2024-50478

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass authentication in the Swoop 1-Click Login WordPress plugin, potentially gaining unauthorized access to WordPress sites. It affects all WordPress installations using version 1.4.5 of the plugin. The high CVSS score indicates critical severity.

💻 Affected Systems

Products:
  • Swoop 1-Click Login: Passwordless Authentication WordPress Plugin
Versions: 1.4.5
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress sites with this specific plugin version installed and activated.

📦 What is this software?

1 Click Login\ by Swoopnow

View all CVEs affecting 1 Click Login\ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover with administrative privileges, data theft, malware injection, and lateral movement to other systems.

🟠

Likely Case

Unauthorized access to user accounts, content manipulation, and potential privilege escalation within the WordPress site.

🟢

If Mitigated

Limited impact if strong network segmentation, monitoring, and additional authentication layers are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Authentication bypass vulnerabilities are often easy to exploit once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check WordPress plugin repository for updates beyond 1.4.5

Vendor Advisory: https://patchstack.com/database/vulnerability/swoop-password-free-authentication/wordpress-1-click-login-passwordless-authentication-plugin-1-4-5-broken-authentication-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find '1-Click Login: Passwordless Authentication'. 4. Click 'Update Now' if available. 5. Alternatively, delete and reinstall latest version.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate swoop-password-free-authentication

Restrict Access

all

Use web application firewall rules to block requests to plugin endpoints.

🧯 If You Can't Patch

  • Implement strong network segmentation to isolate the WordPress instance.
  • Enable detailed logging and monitoring for authentication attempts and admin actions.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for '1-Click Login: Passwordless Authentication' version 1.4.5.

Check Version:

wp plugin get swoop-password-free-authentication --field=version

Verify Fix Applied:

Verify plugin version is updated to a version beyond 1.4.5 in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication attempts without passwords
  • Admin actions from unexpected IPs
  • Failed login attempts to plugin endpoints

Network Indicators:

  • HTTP requests to /wp-content/plugins/swoop-password-free-authentication/ with unusual parameters

SIEM Query:

source="wordpress" AND (plugin="swoop-password-free-authentication" OR uri_path="/wp-content/plugins/swoop-password-free-authentication/")

📊 Metadata

CVE ID: CVE-2024-50478
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-305
Published: October 28, 2024
Last Updated: October 31, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50478, you might also want to check these:

CVE-2025-4320 10.0

This vulnerability allows attackers to bypass authentication and exploit weak password recovery mech...

Same vulnerability type (CWE-305)
CVE-2025-24522 10.0

KUNBUS Revolution Pi OS Bookworm 01/2025 has no authentication configured by default for its Node-RE...

Same vulnerability type (CWE-305)
CVE-2025-36386 9.8

CVE-2025-36386 is an authentication bypass vulnerability in IBM Maximo Application Suite that allows...

Same vulnerability type (CWE-305)