Login Sign Up

CVE-2024-8853

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

The Webo-facto WordPress plugin up to version 1.40 contains a privilege escalation vulnerability that allows unauthenticated attackers to gain administrator access. Attackers can exploit this by registering with a username containing '-wfuser', which triggers insufficient access controls in the 'doSsoAuthentification' function. This affects all WordPress sites using vulnerable versions of the plugin.

💻 Affected Systems

Products:
  • Webo-facto WordPress plugin
Versions: All versions up to and including 1.40
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the Webo-facto plugin enabled.

📦 What is this software?

Webo Facto by Medialibs

View all CVEs affecting Webo Facto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover with administrative privileges, allowing data theft, malware injection, defacement, and further network compromise.

🟠

Likely Case

Attackers gain administrative access to WordPress sites, enabling content manipulation, plugin/theme installation, and user data access.

🟢

If Mitigated

No impact if plugin is patched or disabled; limited impact if strong network controls prevent external access.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the exploit requires no authentication.
🏢 Internal Only: MEDIUM - Internal WordPress sites could still be compromised if attackers gain internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit is trivial - attackers simply need to register with a specific username pattern.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.41 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3153062/webo-facto-connector

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Webo-facto plugin. 4. Click 'Update Now' if available. 5. If no update available, download version 1.41+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Webo-facto plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate webo-facto-connector

Block user registration

all

Disable new user registration in WordPress settings

🧯 If You Can't Patch

  • Disable the Webo-facto plugin immediately
  • Implement WAF rules to block requests containing '-wfuser' in username parameters

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Webo-facto version. If version is 1.40 or lower, you are vulnerable.

Check Version:

wp plugin get webo-facto-connector --field=version

Verify Fix Applied:

Verify plugin version is 1.41 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • User registration attempts with usernames containing '-wfuser'
  • New administrator account creation from unauthenticated sources
  • SSO authentication failures or anomalies

Network Indicators:

  • HTTP POST requests to WordPress registration endpoints with suspicious usernames
  • Unusual traffic to /wp-admin/ from new IP addresses

SIEM Query:

source="wordpress.log" AND ("-wfuser" OR "admin" AND "register" OR "sso")

📊 Metadata

CVE ID: CVE-2024-8853
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: September 20, 2024
Last Updated: September 25, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8853, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)