{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-13685", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-01-23T18:49:40.091Z", "datePublished": "2025-03-04T06:00:04.054Z", "dateUpdated": "2025-03-04T14:32:08.168Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2025-03-04T06:00:04.054Z"}, "title": "Admin and Site Enhancements (ASE) < 7.6.10 - Limit Login Attempt Bypass via IP Spoofing", "problemTypes": [{"descriptions": [{"description": "CWE-290 Authentication Bypass by Spoofing", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Admin and Site Enhancements (ASE)", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "7.6.10"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate their value to bypass the login limit feature in the Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10."}], "references": [{"url": "https://wpscan.com/vulnerability/72c61904-253d-42d1-9edd-7ea2162a2f85/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Dogus Demirkiran", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T14:31:44.400174Z", "id": "CVE-2024-13685", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T14:32:08.168Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-13685", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-04T14:31:44.400174Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T14:31:27.857Z"}}], "cna": {"title": "Admin and Site Enhancements (ASE) < 7.6.10 - Limit Login Attempt Bypass via IP Spoofing", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Dogus Demirkiran"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Admin and Site Enhancements (ASE)", "versions": [{"status": "affected", "version": "0", "lessThan": "7.6.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/72c61904-253d-42d1-9edd-7ea2162a2f85/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate their value to bypass the login limit feature in the Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2025-03-04T06:00:04.054Z"}}}, "cveMetadata": {"cveId": "CVE-2024-13685", "state": "PUBLISHED", "dateUpdated": "2025-03-04T14:32:08.168Z", "dateReserved": "2025-01-23T18:49:40.091Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2025-03-04T06:00:04.054Z", "assignerShortName": "WPScan"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpase:admin_and_site_enhancements:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "9FD34FB9-71F4-47E4-A720-DE2E063B14A6", "versionEndExcluding": "7.6.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:wpase:admin_and_site_enhancements:*:*:*:*:pro:wordpress:*:*", "matchCriteriaId": "B61E92E8-2854-4B32-93DC-EE9FCDF396B9", "versionEndExcluding": "7.6.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate their value to bypass the login limit feature in the Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10."}, {"lang": "es", "value": "El complemento Admin and Site Enhancements (ASE) de WordPress anterior a la versi\u00f3n 7.6.10 recupera direcciones IP de clientes de encabezados potencialmente no confiables, lo que permite a un atacante manipular su valor para eludir la funci\u00f3n de l\u00edmite de inicio de sesi\u00f3n en el complemento Admin and Site Enhancements (ASE) de WordPress anterior a la versi\u00f3n 7.6.10."}], "id": "CVE-2024-13685", "lastModified": "2025-05-14T14:51:01.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-04T06:15:27.240", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/72c61904-253d-42d1-9edd-7ea2162a2f85/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}