CVE-2024-9989

Description

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. This is due to a limited arbitrary method call to crypto_connect_ajax_process::log_in function in the crypto_connect_ajax_process function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.