CVE-2024-11638

Gtbabel < 6.6.9 - Unauthenticated Admin Account Takeover

CVSS 8.8 HIGHEPSS 0.5%

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

10 Mar 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user (such as admin) cookies by making them open a crafted URL as the request made to analysed the URL contains such cookies.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Unknown · Gtbabel

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/2f20336f-e12e-4b09-bcaf-45f7249f6495/