Login Sign Up

CVE-2024-5149

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

The BuddyForms WordPress plugin has an email verification bypass vulnerability due to insufficiently random activation codes. Unauthenticated attackers can bypass email verification requirements, potentially creating unauthorized user accounts. All WordPress sites using BuddyForms versions up to 2.8.9 are affected.

💻 Affected Systems

Products:
  • BuddyForms WordPress Plugin
Versions: All versions up to and including 2.8.9
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects sites using BuddyForms with email verification enabled for user registration.

📦 What is this software?

Buddyforms by Themekraft

View all CVEs affecting Buddyforms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers create unlimited unauthorized user accounts with verified status, potentially gaining access to restricted content or performing actions reserved for verified users.

🟠

Likely Case

Attackers bypass email verification to create fake accounts, potentially enabling spam, abuse, or unauthorized access to user-only features.

🟢

If Mitigated

With proper monitoring and account review processes, unauthorized accounts can be detected and removed before causing significant harm.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is straightforward to exploit by guessing or brute-forcing activation codes due to insufficient randomness.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.0 or later

Vendor Advisory: https://wordpress.org/plugins/buddyforms/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find BuddyForms and click 'Update Now'. 4. Alternatively, download version 2.9.0+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable BuddyForms Email Verification

all

Temporarily disable email verification feature in BuddyForms settings until patched

Disable User Registration

all

Temporarily disable new user registration in WordPress settings

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block suspicious user registration patterns
  • Enable detailed logging of user registration attempts and regularly review for anomalies

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for BuddyForms version. If version is 2.8.9 or lower, you are vulnerable.

Check Version:

wp plugin list --name=buddyforms --field=version (if WP-CLI installed)

Verify Fix Applied:

After updating, verify BuddyForms version is 2.9.0 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual spike in user registrations
  • Multiple registration attempts from same IP
  • User accounts created without corresponding email verification logs

Network Indicators:

  • HTTP POST requests to registration endpoints with predictable activation codes

SIEM Query:

source="wordpress.log" AND ("user registration" OR "new user") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-5149
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-330
Published: June 5, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5149, you might also want to check these:

CVE-2023-2884 9.8

This vulnerability in CBOT Chatbot uses a weak pseudo-random number generator (PRNG) that allows att...

Same vulnerability type (CWE-330)
CVE-2021-36166 9.8

This vulnerability allows remote attackers to efficiently guess administrative authentication tokens...

Same vulnerability type (CWE-330)
CVE-2024-36389 9.8

MileSight DeviceHub uses insufficiently random values for authentication, potentially allowing attac...

Same vulnerability type (CWE-330)