CVE-2024-9104: 
WordPress vulnerability analysis and mitigation

The UltimateAI plugin for WordPress contains an authentication bypass vulnerability (CVE-2024-9104) affecting all versions up to and including 2.8.3. The vulnerability was discovered and disclosed on October 15, 2024. This security issue affects the WordPress plugin UltimateAI, which is an AI-enhanced content generation and management tool (CodeCanyon).

The vulnerability stems from improper empty value check and a missing default activated value check in the 'ultimate_ai_change_pass' function. The CVSS v3.1 score for this vulnerability is 5.6 (Medium), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability has been classified under CWE-703 (Improper Check or Handling of Exceptional Conditions) (NVD).

The vulnerability allows unauthenticated attackers to reset the password of specific users under certain conditions. Specifically, attackers can target either the first user whose account is not yet activated or the first user who has activated their account with subscriber privileges (Wordfence).

Users should upgrade to a version newer than 2.8.3 when available. The vulnerability was addressed in the changelog for version 2.8.3, which was released on August 23, 2024 (CodeCanyon).