CVE-2024-8853: 
WordPress vulnerability analysis and mitigation

The Webo-facto plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-8853) affecting versions up to and including 1.40. The vulnerability was discovered and disclosed on September 20, 2024, and affects the plugin's 'doSsoAuthentification' function (NVD).

The vulnerability stems from insufficient restriction in the 'doSsoAuthentification' function, which allows unauthenticated attackers to elevate their privileges to administrator level. The attack vector involves registering with a username containing '-wfuser'. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows unauthenticated attackers to gain administrator privileges on affected WordPress installations. This level of access permits complete control over the WordPress site, including the ability to modify content, install or remove plugins and themes, and manage user accounts (NVD).

A patch has been released to address this vulnerability. Site administrators should update their Webo-facto plugin to a version newer than 1.40 (Wordfence).