cve/2024/CVE-2024-9989.md

### [CVE-2024-9989](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9989)
![](https://img.shields.io/static/v1?label=Product&message=Crypto%20Tool&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=*%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-288%20Authentication%20Bypass%20Using%20an%20Alternate%20Path%20or%20Channel&color=brightgreen)

### Description

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/12442RF/POC
- https://github.com/20142995/nuclei-templates
- https://github.com/DMW11525708/wiki
- https://github.com/Lern0n/Lernon-POC
- https://github.com/adysec/POC
- https://github.com/cyb3r-w0lf/nuclei-template-collection
- https://github.com/eeeeeeeeee-code/POC
- https://github.com/greenberglinken/2023hvv_1
- https://github.com/iemotion/POC
- https://github.com/laoa1573/wy876
- https://github.com/oLy0/Vulnerability
- https://github.com/wy876/POC
- https://github.com/wy876/wiki