CVE-2024-9687

HIGH

Dueclic WP 2fa With Telegram < 3.1 - IDOR

Title source: rule

Description

The WP 2FA with Telegram plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0. This is due to insufficient validation of the user-controlled key on the 'validate_tg' action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/browser/two-factor-login-telegram/tags/3.0/includes/class-wp-factor-telegram-plugin.php#L244

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/13b5292f-4484-498b-b6b7-2895871ab794?source=cve

Scores

CVSS v3 8.8

EPSS 0.0015

EPSS Percentile 35.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-639

Status published

Products (2)

dueclic/AuthPress < 3.0

dueclic/wp_2fa_with_telegram < 3.1

Published Oct 15, 2024

Tracked Since Feb 18, 2026