CVE-2024-11638
Published: 10 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2024-11638 affects the Gtbabel WordPress plugin in versions prior to 6.6.9. The vulnerability stems from the plugin's failure to validate that a URL submitted for code analysis belongs to the same blog, enabling unauthorized access to sensitive data. Specifically, when the plugin processes a URL for analysis, it includes cookies from the currently logged-in user in the request, exposing them if the URL is controlled by an attacker.
Unauthenticated attackers can exploit this issue over the network with low complexity, but it requires user interaction, such as tricking a logged-in user (e.g., an admin) into visiting a crafted URL. Successful exploitation allows the attacker to capture the victim's cookies, potentially leading to high-impact confidentiality, integrity, and availability violations, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). This could enable session hijacking or further compromise of the WordPress site.
Mitigation involves updating the Gtbabel plugin to version 6.6.9 or later, as indicated by the vulnerability's versioning details. Additional guidance is available in the WPScan advisory at https://wpscan.com/vulnerability/2f20336f-e12e-4b09-bcaf-45f7249f6495/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability directly enables cookie capture by including logged-in user cookies in requests to attacker-controlled URLs when a victim visits a crafted link, mapping to stealing web session cookies.