CVE-2024-11028: CWE-288 Authentication Bypass Using an Alternate Path or Channel in icdsoft MultiManager WP – Manage All Your WordPress Sites Easily
The MultiManager WP – Manage All Your WordPress Sites Easily plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the user impersonation feature inappropriately determining the current user via user-supplied input. This makes it possible for unauthenticated attackers to generate an impersonation link that will allow them to log in as any existing user, such as an administrator. NOTE: The user impersonation feature was disabled in version 1.1.0 and re-enabled with a patch in version 1.1.2.
AI Analysis
Technical Summary
CVE-2024-11028 is an authentication bypass vulnerability in the icdsoft MultiManager WP plugin for WordPress, affecting all versions up to and including 1.0.5. The issue stems from the user impersonation feature incorrectly determining the current user based on user-supplied input, enabling unauthenticated attackers to generate impersonation links to log in as arbitrary users. The vulnerability has a CVSS 3.1 base score of 9.8, indicating critical severity with network attack vector, no privileges required, no user interaction, and full confidentiality, integrity, and availability impact. The vendor mitigated the issue by disabling the feature in version 1.1.0 and later re-enabling it with a proper patch in version 1.1.2.
Potential Impact
Successful exploitation allows unauthenticated attackers to bypass authentication controls and gain access as any user, including administrators, leading to complete compromise of the affected WordPress sites. This includes full control over site content, configuration, and potentially sensitive data, as well as the ability to disrupt availability.
Mitigation Recommendations
Users should upgrade to MultiManager WP version 1.1.2 or later, where the user impersonation feature is securely re-enabled with a patch. Versions 1.1.0 and 1.1.1 disable the vulnerable feature and also mitigate the risk. No other mitigations are indicated. Patch status is confirmed by the vendor's versioning and feature changes.
CVE-2024-11028: CWE-288 Authentication Bypass Using an Alternate Path or Channel in icdsoft MultiManager WP – Manage All Your WordPress Sites Easily
Description
The MultiManager WP – Manage All Your WordPress Sites Easily plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the user impersonation feature inappropriately determining the current user via user-supplied input. This makes it possible for unauthenticated attackers to generate an impersonation link that will allow them to log in as any existing user, such as an administrator. NOTE: The user impersonation feature was disabled in version 1.1.0 and re-enabled with a patch in version 1.1.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-11028 is an authentication bypass vulnerability in the icdsoft MultiManager WP plugin for WordPress, affecting all versions up to and including 1.0.5. The issue stems from the user impersonation feature incorrectly determining the current user based on user-supplied input, enabling unauthenticated attackers to generate impersonation links to log in as arbitrary users. The vulnerability has a CVSS 3.1 base score of 9.8, indicating critical severity with network attack vector, no privileges required, no user interaction, and full confidentiality, integrity, and availability impact. The vendor mitigated the issue by disabling the feature in version 1.1.0 and later re-enabling it with a proper patch in version 1.1.2.
Potential Impact
Successful exploitation allows unauthenticated attackers to bypass authentication controls and gain access as any user, including administrators, leading to complete compromise of the affected WordPress sites. This includes full control over site content, configuration, and potentially sensitive data, as well as the ability to disrupt availability.
Mitigation Recommendations
Users should upgrade to MultiManager WP version 1.1.2 or later, where the user impersonation feature is securely re-enabled with a patch. Versions 1.1.0 and 1.1.1 disable the vulnerable feature and also mitigate the risk. No other mitigations are indicated. Patch status is confirmed by the vendor's versioning and feature changes.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-08T16:48:44.283Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e04b7ef31ef0b593ac3
Added to database: 2/25/2026, 9:47:48 PM
Last enriched: 4/9/2026, 5:54:31 AM
Last updated: 4/12/2026, 2:32:38 PM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.