CVE-2024-10284: 
WordPress vulnerability analysis and mitigation

The CE21 Suite plugin for WordPress contains an authentication bypass vulnerability (CVE-2024-10284) affecting versions up to and including 2.2.0. The vulnerability was discovered and disclosed on November 8, 2024. The issue stems from a hardcoded encryption key in the 'ce21authenticationphrase' function (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness has been classified under CWE-306 (Missing Authentication for Critical Function) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (NVD).

This vulnerability allows unauthenticated attackers to log in as any existing user on the site, including administrators, provided they have access to the email address. This presents a critical security risk as it could lead to complete site compromise (NVD).

Users should immediately update their CE21 Suite plugin to a version newer than 2.2.0 to address this vulnerability. A patch has been made available to fix the hardcoded encryption key issue (WordPress Plugin).