CVE-2024-9822

CRITICAL

Pedalo Connector <= 2.0.5 - Unauthenticated Authentication Bypass via login_admin_user Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-9822. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary This PoC demonstrates an authentication bypass vulnerability in the Pedalo Connector WordPress plugin (versions <= 2.0.5). The exploit leverages insufficient restrictions on the 'login_admin_user' function, allowing unauthenticated attackers to log in as the first user (typically the administrator).

Description

The Pedalo Connector plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.5. This is due to insufficient restriction on the 'login_admin_user' function. This makes it possible for unauthenticated attackers to log to the first user, who is usually the administrator, or if it does not exist, then to the first administrator.

Exploits (1)

nomisec WORKING POC 1 stars

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2024-9822

View Code ZIP pw:eip

This PoC demonstrates an authentication bypass vulnerability in the Pedalo Connector WordPress plugin (versions <= 2.0.5). The exploit leverages insufficient restrictions on the 'login_admin_user' function, allowing unauthenticated attackers to log in as the first user (typically the administrator).

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Pedalo Connector WordPress plugin <= 2.0.5

No auth needed

Prerequisites: Pedalo Connector plugin activated · Site health feature running

MITRE ATT&CK

T1550.003 - Pass the Ticket

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/browser/pedalo-connector/tags/2.0.5/public/class-pedalo_connector-public.php#L118

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/6ab0d342-bfa7-4760-b839-37c3354414ca?source=cve

Scores

CVSS v3 9.8

EPSS 0.0091

EPSS Percentile 55.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-288

Status published

Products (2)

pedalo/pedalo_connector < 2.0.5

pedaloagency/Pedalo Connector < 2.0.5

Published Oct 11, 2024

Tracked Since Feb 18, 2026