Skip to main content

Wawp CVE-2024-52475

CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2024-11-28 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:23 NVD
9.8 (CRITICAL)
CVE Published
Nov 28, 2024 - 11:15 nvd
N/A

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform allows Authentication Bypass.This issue affects Wawp: from n/a through < 3.0.18.

AnalysisAI

Authentication bypass in the Wawp automation-web-platform plugin (versions up to and including 3.0.18) allows remote unauthenticated attackers to circumvent authentication via an alternate path or channel and gain unauthorized access to protected functionality. With a CVSS of 9.8 and an EPSS of 23.59% (96th percentile), the flaw poses elevated exploitation interest, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Wawp (Information Technology's 'automation-web-platform') is a web-based automation product. The underlying weakness is CWE-288 (Authentication Bypass Using an Alternate Path or Channel), where an application exposes a secondary code path - typically an endpoint, parameter, or handler - that fails to enforce the same identity checks as the main authentication flow. In practice this often manifests as a route accessible via direct URL invocation, a missing capability check on an AJAX/REST handler, or a request type that skips the normal middleware chain, allowing an attacker to reach privileged logic without valid credentials.

Affected ProductsAI

The vulnerability affects Information Technology's Wawp automation-web-platform plugin, all versions from an unspecified initial release through versions less than 3.0.18 (i.e., up to and including 3.0.17 per the '< 3.0.18' bound). No CPE strings were provided in the input. The advisory was issued by Patchstack (audit@patchstack.com), and consumers should consult the Patchstack vulnerability database entry for CVE-2024-52475 for the canonical advisory URL.

RemediationAI

Upstream fix available; the description indicates the issue is resolved in versions 3.0.18 and later, so administrators should upgrade Wawp to 3.0.18 or newer as the primary remediation. Because the input does not include a vendor advisory URL beyond the Patchstack reporter, verify the fix details via the Patchstack advisory for CVE-2024-52475 before deployment. If immediate upgrade is not feasible, compensating controls include disabling or deactivating the Wawp plugin entirely (which removes the attack surface but breaks any automation workflows it provides), restricting access to the site's admin and plugin endpoints via a web application firewall or IP allowlist (effective only if administrative reach can be narrowed), and monitoring access logs for anomalous requests to Wawp-specific routes (detective rather than preventive). Avoid relying on standard WordPress login enforcement alone, since the flaw is specifically an alternate-path bypass that sidesteps normal authentication.

Share

CVE-2024-52475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy