WordPress Plugin Vulnerabilities

Edwiser Bridge < 3.0.6 - Authentication Bypass due to Missing Empty Value Check

Description

The Build App Online plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.5. This is due to the 'eb_user_email_verification_key' default value is empty, and the not empty check is missing in the 'eb_user_email_verify' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This can only be exploited if the 'Email Verification' setting is enabled.

Affects Plugins

Plugin icon
edwiser-bridge
Fixed in 3.0.6

References

CVE
CVE-2024-4186
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6969d281-f280-4714-9859-38ac66e9cc60

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
e39b8f65-c3d0-41d0-a33d-b115700ff686

Timeline

Publicly Published
2024-05-06 (about 2 years ago)
Added
2024-05-07 (about 2 years ago)
Last Updated
2024-05-07 (about 2 years ago)

Other

Published
Title
Published
2022-06-21
Title
OAuth 2.0 client for SSO < 1.11.4 - Authenticated Bypass
Published
2025-10-08
Title
Search & Go < 2.8 - Authentication Bypass to Privilege Escalation
Published
2014-08-01
Title
All in One SEO Pack <= 2.1.5 - Unspecified Privilege Escalation
Published
2021-03-08
Title
The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass
Published
2026-02-23
Title
WeDesignTech Ultimate Booking Addon <= 1.0.1 - Subscriber+ Authentication Bypass