CVE-2024-9989: CWE-288 Authentication Bypass Using an Alternate Path or Channel in odude Crypto Tool
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. This is due to a limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
AI Analysis
Technical Summary
The odude Crypto Tool WordPress plugin contains an authentication bypass vulnerability (CWE-288) in versions up to 2.18. The issue arises from a limited arbitrary method call to 'crypto_connect_ajax_process::log_in' within the 'crypto_connect_ajax_process' function, enabling unauthenticated attackers to authenticate as any user by supplying a valid username. This flaw effectively bypasses normal authentication controls, granting full access to user accounts including administrators. The vulnerability is remotely exploitable without privileges or user interaction, resulting in complete compromise of the affected WordPress site.
Potential Impact
Successful exploitation allows an unauthenticated attacker to log in as any existing user on the WordPress site, including administrators. This leads to full control over the site, compromising confidentiality, integrity, and availability of the system and its data. The CVSS 3.1 base score of 9.8 reflects the critical nature of this vulnerability.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, it is recommended to disable or remove the affected plugin to prevent exploitation. Monitor official odude and WordPress security channels for updates and apply patches promptly once available.
CVE-2024-9989: CWE-288 Authentication Bypass Using an Alternate Path or Channel in odude Crypto Tool
Description
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. This is due to a limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The odude Crypto Tool WordPress plugin contains an authentication bypass vulnerability (CWE-288) in versions up to 2.18. The issue arises from a limited arbitrary method call to 'crypto_connect_ajax_process::log_in' within the 'crypto_connect_ajax_process' function, enabling unauthenticated attackers to authenticate as any user by supplying a valid username. This flaw effectively bypasses normal authentication controls, granting full access to user accounts including administrators. The vulnerability is remotely exploitable without privileges or user interaction, resulting in complete compromise of the affected WordPress site.
Potential Impact
Successful exploitation allows an unauthenticated attacker to log in as any existing user on the WordPress site, including administrators. This leads to full control over the site, compromising confidentiality, integrity, and availability of the system and its data. The CVSS 3.1 base score of 9.8 reflects the critical nature of this vulnerability.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, it is recommended to disable or remove the affected plugin to prevent exploitation. Monitor official odude and WordPress security channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-10-15T11:42:20.093Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b66b7ef31ef0b55505d
Added to database: 2/25/2026, 9:36:38 PM
Last enriched: 4/9/2026, 8:51:36 AM
Last updated: 4/11/2026, 11:28:00 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.