Search criteria
1 vulnerability by medialibs
CVE-2024-8853 (GCVE-0-2024-8853)
Vulnerability from cvelistv5 – Published: 2024-09-20 07:33 – Updated: 2026-04-08 17:19
VLAI
Title
Webo-facto <= 1.40 - Unauthenticated Privilege Escalation
Summary
The Webo-facto plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.40 due to insufficient restriction on the 'doSsoAuthentification' function. This makes it possible for unauthenticated attackers to make themselves administrators by registering with a username that contains '-wfuser'.
Severity
9.8 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jeremieglotin | Webo-facto |
Affected:
0 , ≤ 1.40
(semver)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:medialibs:webo-facto:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "webo-facto",
"vendor": "medialibs",
"versions": [
{
"lessThanOrEqual": "1.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T17:30:57.368567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T17:32:55.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Webo-facto",
"vendor": "jeremieglotin",
"versions": [
{
"lessThanOrEqual": "1.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Webo-facto plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.40 due to insufficient restriction on the \u0027doSsoAuthentification\u0027 function. This makes it possible for unauthenticated attackers to make themselves administrators by registering with a username that contains \u0027-wfuser\u0027."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:19:49.392Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c1280ceb-9ce8-47fc-8fd3-6af80015dea9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/webo-facto-connector/tags/1.40/WeboFacto/Sso.php#L78"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3153062/webo-facto-connector"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-13T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-09-13T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-09-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Webo-facto \u003c= 1.40 - Unauthenticated Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8853",
"datePublished": "2024-09-20T07:33:35.851Z",
"dateReserved": "2024-09-13T18:40:57.970Z",
"dateUpdated": "2026-04-08T17:19:49.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}