1-Click Login CVE-2024-50478
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
DescriptionCVE.org
Authentication Bypass by Primary Weakness vulnerability in swoopbrandon 1-Click Login: Passwordless Authentication swoop-password-free-authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: from n/a through 1.4.5.
AnalysisAI
Remote authentication bypass in the 1-Click Login: Passwordless Authentication WordPress plugin (swoop-password-free-authentication) through version 1.4.5 allows unauthenticated attackers to bypass the primary authentication mechanism and gain access to protected accounts. With a CVSS score of 9.8 and an EPSS of 41.02% (97th percentile), this represents elevated exploitation probability although no public exploit identified at time of analysis. The flaw stems from CWE-305 (Authentication Bypass by Primary Weakness), meaning the core auth check itself can be circumvented rather than merely weakened.
Technical ContextAI
The affected product is the WordPress plugin 'swoop-password-free-authentication' by swoopbrandon/swoopnow (CPE: cpe:2.3:a:swoopnow:1-click_login:passwordless_authentication:1.4.5), which provides passwordless/magic-link login functionality. CWE-305 (Authentication Bypass by Primary Weakness) indicates the plugin's primary authentication routine contains a logical or cryptographic flaw that lets an attacker satisfy or skip the check without holding the expected credential or token. Because the plugin replaces the standard WordPress password login flow, a bypass directly grants account-level access to whichever WordPress user the attacker targets, including potentially administrative accounts.
RemediationAI
No vendor-released patch identified at time of analysis; the advisory documents impact through 1.4.5 with no explicit fixed version provided. Administrators should monitor the Patchstack advisory feed and the swoop-password-free-authentication plugin page on wordpress.org for an updated release and upgrade as soon as it is published. As compensating controls, deactivate and remove the plugin entirely if passwordless login is non-essential (side effect: end users lose magic-link login and must use standard WordPress credentials); alternatively restrict access to the plugin's authentication endpoints via a WAF rule or web server ACL limited to known IP ranges (side effect: legitimate remote users on dynamic IPs may be blocked); and enforce two-factor authentication on all WordPress administrator accounts via a separate 2FA plugin so that a bypass of the primary check does not by itself yield admin session access (side effect: added login friction).
Same weakness CWE-305 – Authentication Bypass by Primary Weakness
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today