CVE-2024-50478 — AI Deep Analysis Summary

🚨 **Essence**: A critical authentication bypass in the '1-Click Login: Passwordless Authentication' plugin.…

🛡️ **Root Cause**: **CWE-305** (Authentication Bypass). The plugin fails to properly verify the user's identity before granting access. It trusts the login request without sufficient proof of ownership.

📦 **Affected**: WordPress Plugin: **1-Click Login: Passwordless Authentication**. 📌 **Version**: Specifically **v1.4.5**. 🏢 **Vendor**: Swoop. 🌐 **Platform**: WordPress sites using this specific plugin.

💀 **Hackers Can**: Bypass login entirely. 👤 **Privileges**: Access any account, including **Administrators**. 📂 **Data**: Full read/write access to site content, user data, and configuration. Total control.

⚡ **Threshold**: **LOW**. 🌐 **Network**: Remote (AV:N). 🔑 **Auth**: None required (PR:N). 🖱️ **UI**: None required (UI:N). 🎯 **Requirement**: Just need to know the victim's **email address** to trigger the bypass.

🔓 **Exploit**: **YES**. Public PoC available on GitHub (RandomRobbieBF). 📝 **Description**: 'Authentication Bypass via Account Takeover'. 🌍 **Status**: Active exploitation risk due to simplicity.

🔍 **Self-Check**: 1. Check WordPress Plugins list for '1-Click Login: Passwordless Authentication'. 2. Verify version is **1.4.5**. 3. Look for email-based login features. 4. Scan for CVE-2024-50478 signatures.

🩹 **Fix**: Update the plugin to the latest patched version immediately. 📢 **Official**: Patch is implied by the CVE publication. Check vendor (Swoop) or WordPress repo for updates.…

🚧 **No Patch?**: 1. **Disable** the plugin immediately. 2. Revert to standard username/password login. 3. Monitor admin logs for suspicious login attempts. 4. Reset passwords for all users as a precaution.

🔥 **Urgency**: **CRITICAL** (CVSS 9.8). 🚨 **Priority**: Patch **IMMEDIATELY**. This is a remote, unauthenticated vulnerability with full system impact. Do not wait. 🛑 High risk of immediate compromise.