CVE-2024-11349 CRITICAL

CVE-2024-11349: AdForest <= 5.1.6 - Authentication Bypass

Vendor Scriptsbundle
Product AdForest
Weakness CWE-288
Published December 21, 2024
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the sb_login_user_with_otp_fun() function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators.

Explanation of Vulnerability in Simple Terms

02Summary

AdForest versions up to 5.1.6 contain an authentication bypass vulnerability that allows unauthenticated attackers to gain full control of the application. The vulnerability stems from improper authentication validation, enabling attackers to read, modify, or delete data without credentials. All installations should update immediately.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete any data in the application without logging in.

Potential impact on your site

04Site Impact

Complete compromise of the AdForest application and all user data; attackers can impersonate users and modify site content.

Conditions required to exploit

05Prerequisites

Network access to the AdForest installation; no authentication or user interaction required.

Key dates

06Disclosure timeline

December 21, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE