Admin and Site Enhancements (ASE) < 7.6.10 – Password Protection Bypass | CVE 2024-13688 | Plugin Vulnerabilities

Description

The plugin uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request

Proof of Concept

On a password-protected site, enter a password and intercept the request. 

Modify the request to include the cookie `asenha_password_protection` with a value of `$P$BHPvIm0dNawNq9cogn48o0PFdHeC2B.`

You will be able to access the site even with the incorrect password.

Affects Plugins

admin-site-enhancements

Fixed in 7.6.10

References

CVE

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dogus Demirkiran

Submitter

Dogus Demirkiran

Verified

Yes

WPVDB ID

19051d08-16b0-466c-976b-be7b076e8e92

Timeline

Publicly Published

2025-04-07 (about 8 months ago)

Added

2025-04-07 (about 8 months ago)

Last Updated

2025-04-07 (about 8 months ago)

Other

Published

Title

Published

2023-08-08

Title

FULL - Customer < 2.3 - Subscriber+ Health Check Disclosure

Published

2015-03-09

Title

MainWP Child <= 2.0.9.1 - Authentication Bypass

Published

2018-03-03

Title

Super Socializer < 7.11 - Authentication Bypass

Published

2014-08-01

Title

G-Lock Double Opt-in Manager - Two Security Bypass Vulnerabilities

Published

2020-02-16

Title

ThemeGrill Demo Importer < 1.6.3 - Auth Bypass & Database Wipe