UltimateAI <= 2.8.3 – Limited User Password Reset | CVE 2024-9104 | Plugin Vulnerabilities

Description

The plugin is vulnerable to authentication bypass due to the improper empty value check and a missing default activated value check in the 'ultimate_ai_change_pass' function. This makes it possible for unauthenticated attackers to reset the password of the first user, whose account is not yet activated or the first user who activated their account, who are subscribers.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3faf976d-0763-4e47-9bc3-18c791ec4487

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

18cd667f-6cfd-4f18-ae0a-c8504a1c32f3

Timeline

Publicly Published

2024-10-15 (about 1 year ago)

Added

2024-10-15 (about 1 year ago)

Last Updated

2024-10-15 (about 1 year ago)

Other

Published

Title

Published

2025-12-26

Title

Mobile builder <= 1.4.2 - Authentication Bypass

Published

2023-11-06

Title

Simple Social Buttons < 5.1.1 - Unauthenticated Password Protected Post Access

Published

2021-12-08

Title

Registration Magic < 5.0.1.8 - Authentication Bypass

Published

2025-09-19

Title

SupportCandy < 3.3.8 - Authentication Bypass to Support Session Takeover

Published

2016-04-28

Title

Google Authenticator <= 0.47 - Two Factor Authentication Bypass