CVEs/CVE-2024-13688 at main · BEND0US/CVEs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# Exploit Title: Wordpress Plugin - Admin and Site Enhancements (ASE) < 7.6.10 - Password Protection Bypass
# Exploit Author: Dogus DEMIRKIRAN
# Vendor Homepage: https://wordpress.org/plugins/admin-site-enhancements/
# Version: < 7.6.10
# CVE: CVE-2024-13688
===============================================================================

# PoC
The plugin uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request.

> On a password-protected site, enter a password and intercept the request.
> Modify the request to include the cookie `asenha_password_protection` with a value of `$P$BHPvIm0dNawNq9cogn48o0PFdHeC2B.`
> You will be able to access the site even with the incorrect password.

===============================================================================