CVE-2024-9488: 
WordPress vulnerability analysis and mitigation

The Comments – wpDiscuz plugin for WordPress contains an authentication bypass vulnerability (CVE-2024-9488) affecting all versions up to and including 7.6.24. The vulnerability was discovered and disclosed on October 25, 2024, impacting over 80,000 active WordPress installations (SecurityOnline, NVD).

The vulnerability stems from insufficient verification of user identities during social login processes, specifically in the verification of users being returned by social login tokens. The vulnerability has been assigned a critical CVSS v3.1 score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (NVD).

The vulnerability allows unauthenticated attackers to log in as any existing user on the site, including administrators, if they have access to the email address and the user does not have an already-existing account for the service returning the token. This could lead to full administrative access, enabling attackers to modify content, install malicious plugins, or lock out legitimate users (SecurityOnline).

Website administrators are strongly advised to update to wpDiscuz version 7.6.25, which contains the security fix for this vulnerability. Additional security measures recommended include implementing two-factor authentication and conducting regular security audits (SecurityOnline).