WordPress Plugin Vulnerabilities

Web3 – Crypto wallet Login & NFT token gating < 2.7.0 - Authentication Bypass

Description

The plugin does not properly perform authentication in the 'hidden_form_data' function, allowing an unauthenticated user to log in as any existing user on the site, such as an administrator, if they have access to the username.

Affects Plugins

Plugin icon
web3-authentication
Fixed in 2.7.0

References

CVE
CVE-2023-3249
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/web3-authentication/web3-crypto-wallet-login-nft-token-gating-260-authentication-bypass

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
e02e5066-9c22-4235-a61d-74468b67551f

Timeline

Publicly Published
2023-06-29 (about 2 years ago)
Added
2023-07-03 (about 2 years ago)
Last Updated
2023-07-07 (about 2 years ago)

Other

Published
Title
Published
2023-04-25
Title
WordPress Vertical Image Slider < 1.2.17 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
Paid Memberships Pro 1.4.7 - adminpages/memberslist-csv.php Direct Request Member Personal Information Disclosure
Published
2023-09-25
Title
Simple Membership < 4.3.5 - Account Takeover via Password Reset
Published
2023-11-28
Title
WP Forms Puzzle Captcha <= 4.1 - Captcha Bypass
Published
2017-12-27
Title
woocommerce-csvimport 3.3.6 – Authenticated Arbitrary File Deletion