This vulnerability allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header. The root cause is the incorrect interpretation of the ‘wp_authenticate_application_password()’ function results, specifically, treating a ‘WP_Error’ as an indication of successful authentication. However, WordPress can also return ‘null’ in some cases, which is mistakenly treated as an authenticated request.
| Vendor | Product | Versions |
|---|---|---|
| burstbv | burst statistics – privacy-friendly wordpress analytics (google analytics alternative) | 3.4.0, 3.4.1 |
Updated description with detailed technical information, added affected version 3.4.1, and provided the patched version 3.4.2.
Initial creation
