Wawp CVE-2024-52475
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform allows Authentication Bypass.This issue affects Wawp: from n/a through < 3.0.18.
AnalysisAI
Authentication bypass in the Wawp automation-web-platform plugin (versions up to and including 3.0.18) allows remote unauthenticated attackers to circumvent authentication via an alternate path or channel and gain unauthorized access to protected functionality. With a CVSS of 9.8 and an EPSS of 23.59% (96th percentile), the flaw poses elevated exploitation interest, though no public exploit identified at time of analysis. The vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Wawp (Information Technology's 'automation-web-platform') is a web-based automation product. The underlying weakness is CWE-288 (Authentication Bypass Using an Alternate Path or Channel), where an application exposes a secondary code path - typically an endpoint, parameter, or handler - that fails to enforce the same identity checks as the main authentication flow. In practice this often manifests as a route accessible via direct URL invocation, a missing capability check on an AJAX/REST handler, or a request type that skips the normal middleware chain, allowing an attacker to reach privileged logic without valid credentials.
Affected ProductsAI
The vulnerability affects Information Technology's Wawp automation-web-platform plugin, all versions from an unspecified initial release through versions less than 3.0.18 (i.e., up to and including 3.0.17 per the '< 3.0.18' bound). No CPE strings were provided in the input. The advisory was issued by Patchstack (audit@patchstack.com), and consumers should consult the Patchstack vulnerability database entry for CVE-2024-52475 for the canonical advisory URL.
RemediationAI
Upstream fix available; the description indicates the issue is resolved in versions 3.0.18 and later, so administrators should upgrade Wawp to 3.0.18 or newer as the primary remediation. Because the input does not include a vendor advisory URL beyond the Patchstack reporter, verify the fix details via the Patchstack advisory for CVE-2024-52475 before deployment. If immediate upgrade is not feasible, compensating controls include disabling or deactivating the Wawp plugin entirely (which removes the attack surface but breaks any automation workflows it provides), restricting access to the site's admin and plugin endpoints via a web application firewall or IP allowlist (effective only if administrative reach can be narrowed), and monitoring access logs for anomalous requests to Wawp-specific routes (detective rather than preventive). Avoid relying on standard WordPress login enforcement alone, since the flaw is specifically an alternate-path bypass that sidesteps normal authentication.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today