CVE-2024-11349

CRITICAL EXPLOITED

AdForest theme <5.1.6 - Auth Bypass

Title source: llm

Exploitation Summary

CVE-2024-11349 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the sb_login_user_with_otp_fun() function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators.

References (2)

Core 2

Core References

Product

https://themeforest.net/item/adforest-classified-wordpress-theme/19481695

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/f374b3d1-820b-473f-8d2b-c3267e6d23d9?source=cve

Scores

CVSS v3 9.8

EPSS 0.0118

EPSS Percentile 63.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-05-05

CWE

CWE-288

Status published

Products (2)

scriptsbundle/AdForest < 5.1.6

scriptsbundle/adforest < 5.1.7

Published Dec 21, 2024

Tracked Since Feb 18, 2026