Skip to main content

1-Click Login CVE-2024-50478

CRITICAL
Authentication Bypass by Primary Weakness (CWE-305)
2024-10-28 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

DescriptionCVE.org

Authentication Bypass by Primary Weakness vulnerability in swoopbrandon 1-Click Login: Passwordless Authentication swoop-password-free-authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: from n/a through 1.4.5.

AnalysisAI

Remote authentication bypass in the 1-Click Login: Passwordless Authentication WordPress plugin (swoop-password-free-authentication) through version 1.4.5 allows unauthenticated attackers to bypass the primary authentication mechanism and gain access to protected accounts. With a CVSS score of 9.8 and an EPSS of 41.02% (97th percentile), this represents elevated exploitation probability although no public exploit identified at time of analysis. The flaw stems from CWE-305 (Authentication Bypass by Primary Weakness), meaning the core auth check itself can be circumvented rather than merely weakened.

Technical ContextAI

The affected product is the WordPress plugin 'swoop-password-free-authentication' by swoopbrandon/swoopnow (CPE: cpe:2.3:a:swoopnow:1-click_login:passwordless_authentication:1.4.5), which provides passwordless/magic-link login functionality. CWE-305 (Authentication Bypass by Primary Weakness) indicates the plugin's primary authentication routine contains a logical or cryptographic flaw that lets an attacker satisfy or skip the check without holding the expected credential or token. Because the plugin replaces the standard WordPress password login flow, a bypass directly grants account-level access to whichever WordPress user the attacker targets, including potentially administrative accounts.

RemediationAI

No vendor-released patch identified at time of analysis; the advisory documents impact through 1.4.5 with no explicit fixed version provided. Administrators should monitor the Patchstack advisory feed and the swoop-password-free-authentication plugin page on wordpress.org for an updated release and upgrade as soon as it is published. As compensating controls, deactivate and remove the plugin entirely if passwordless login is non-essential (side effect: end users lose magic-link login and must use standard WordPress credentials); alternatively restrict access to the plugin's authentication endpoints via a WAF rule or web server ACL limited to known IP ranges (side effect: legitimate remote users on dynamic IPs may be blocked); and enforce two-factor authentication on all WordPress administrator accounts via a separate 2FA plugin so that a bypass of the primary check does not by itself yield admin session access (side effect: added login friction).

Share

CVE-2024-50478 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy