CVE-2024-11015

CRITICAL EXPLOITED

WordPress Sign In With Google <1.8.0 - Auth Bypass

Title source: llm

Exploitation Summary

CVE-2024-11015 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The Sign In With Google plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.8.0. This is due to the 'authenticate_user' user function not implementing sufficient null value checks when setting the access token and user information. This makes it possible for unauthenticated attackers to log in as the first user who has signed in using Google OAuth, which could be the site administrator.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/browser/sign-in-with-google/trunk/src/admin/class-sign-in-with-google-admin.php#L525

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/afe894b0-5e91-4aa2-bbd1-1f74274701cf?source=cve

Scores

CVSS v3 9.8

EPSS 0.0077

EPSS Percentile 50.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-12-12

CWE

CWE-287

Status published

Products (1)

tarecord/Sign In With Google < 1.8.0

Published Dec 12, 2024

Tracked Since Feb 18, 2026