CVE-2024-10245 Overview
The Relais 2FA plugin for WordPress contains a critical authentication bypass vulnerability in versions up to and including 1.0. This security flaw stems from incorrect authentication and capability checking in the rl_do_ajax function. The vulnerability allows unauthenticated attackers to log in as any existing user on the affected WordPress site, including administrators, if they have access to the user's email address.
Critical Impact
Unauthenticated attackers can completely bypass two-factor authentication and gain full administrative access to WordPress sites, potentially leading to complete site compromise, data theft, and malicious content injection.
Affected Products
- Relais 2FA WordPress Plugin version 1.0 and earlier
- WordPress installations with Relais 2FA plugin enabled
- Any WordPress site using this plugin for authentication security
Discovery Timeline
- 2024-11-12 - CVE CVE-2024-10245 published to NVD
- 2024-11-12 - Last updated in NVD database
Technical Details for CVE-2024-10245
Vulnerability Analysis
This authentication bypass vulnerability (CWE-288: Authentication Bypass Using an Alternate Path or Channel) represents a fundamental flaw in how the Relais 2FA plugin validates user authentication requests. The vulnerability exists within the rl_do_ajax function, which fails to properly verify that the requesting user has appropriate credentials and capabilities before processing authentication requests.
The flawed implementation allows attackers to circumvent the intended two-factor authentication flow entirely. By exploiting this weakness, an attacker who knows or obtains a target user's email address can authenticate as that user without needing to provide valid credentials or complete the 2FA challenge. This completely undermines the security purpose of implementing two-factor authentication.
Root Cause
The root cause is improper authentication and authorization checking within the rl_do_ajax function. The plugin fails to adequately verify that authentication requests originate from legitimate sources with proper credentials. This allows unauthenticated users to invoke authentication functions that should only be accessible to users who have already partially authenticated through the standard WordPress login flow.
Attack Vector
The attack can be conducted remotely over the network without requiring any prior authentication. An attacker needs only knowledge of a valid email address associated with a user account on the target WordPress installation. The attack flow involves:
- Identifying a target WordPress site running the vulnerable Relais 2FA plugin
- Obtaining or guessing a valid email address for an existing user (preferably an administrator)
- Crafting a malicious AJAX request to the rl_do_ajax function
- Bypassing the authentication flow to gain access as the target user
The vulnerability is accessible through the network without user interaction, making it particularly dangerous for internet-facing WordPress installations. Technical details about the vulnerable code can be found in the WordPress Plugin Code Review and the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-10245
Indicators of Compromise
- Unexpected administrator login events from unfamiliar IP addresses or unusual geographies
- AJAX requests to WordPress containing calls to rl_do_ajax with suspicious parameters
- Unusual wp-admin access patterns, especially login events without corresponding failed attempts
- Changes to site configuration, user accounts, or content by administrators who deny making them
Detection Strategies
- Monitor WordPress authentication logs for successful logins that bypass the normal 2FA verification flow
- Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests targeting the Relais 2FA plugin endpoints
- Review server access logs for POST requests to /wp-admin/admin-ajax.php with action parameters related to Relais 2FA functionality
- Configure alerting for new administrator account creation or privilege escalation events
Monitoring Recommendations
- Enable comprehensive WordPress logging including all authentication events and administrative actions
- Deploy endpoint detection solutions capable of identifying unauthorized WordPress admin access
- Implement real-time monitoring for changes to critical WordPress files and database tables
- Configure alerts for login activity from IP addresses outside normal organizational ranges
How to Mitigate CVE-2024-10245
Immediate Actions Required
- Immediately deactivate and remove the Relais 2FA plugin from all WordPress installations
- Audit all administrator and user accounts for unauthorized changes or suspicious activity
- Review WordPress site content and configuration for signs of compromise
- Implement an alternative, secure two-factor authentication solution from a reputable vendor
- Reset passwords for all administrative accounts as a precautionary measure
Patch Information
As of the last available information, site administrators should check the WordPress plugin repository for any security updates to the Relais 2FA plugin. Given the critical nature of this vulnerability, it is strongly recommended to disable the plugin until a verified patch is available. Consult the Wordfence Vulnerability Report for the latest remediation guidance.
Workarounds
- Remove or deactivate the Relais 2FA plugin entirely until a patch is available
- Implement network-level access controls to restrict wp-admin access to trusted IP addresses only
- Deploy a web application firewall (WAF) with rules to block exploitation attempts targeting this vulnerability
- Consider using alternative 2FA plugins with established security track records such as Google Authenticator or Wordfence Login Security
- Enable WordPress security hardening measures including limiting login attempts and enforcing strong passwords
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
