Cyber Resilience

CVE-2024-49328

Critical

Published: 20 October 2024

Published
20 October 2024
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4156 97.5th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49328 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Vivektamrakar Wp Rest Api Fns. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-49328 is an authentication bypass vulnerability arising from use of an alternate path or channel, present in the WP REST API FNS plugin for WordPress. The flaw affects all versions up to and including 1.0.0 and is tracked under CWE-288 and CWE-306. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.

An unauthenticated attacker can reach the plugin's REST endpoints through an unintended channel, bypassing normal authentication controls and achieving full account takeover on the affected WordPress site. Successful exploitation grants the attacker the ability to read, modify, or delete arbitrary data and perform administrative actions.

The single available advisory reference from Patchstack characterizes the issue as an account-takeover vulnerability in the WP REST API FNS plugin and points to the Patchstack database entry for further details; no explicit patch or mitigation steps are provided in the supplied reference.

The EPSS score reached a peak of 0.5450 after disclosure before receding to its current value of 0.4156.

EU & UK References

Vulnerability details

Authentication Bypass Using an Alternate Path or Channel vulnerability in vivek2tamrakar WP REST API FNS rest-api-fns allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through <= 1.0.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vivektamrakar
wp rest api fns
≤ 1.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-306 CWE-288

Mandates additional authentication for access under defined conditions, ensuring critical or high-risk functions are not left without authentication.

addresses: CWE-306 CWE-288

Identity providers mandate authentication for functions that would otherwise lack it.

addresses: CWE-306 CWE-288

Requires authentication for non-organizational users, preventing access to critical functions without proper identification and authentication.

addresses: CWE-306

Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.

addresses: CWE-306

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-288

Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.

addresses: CWE-306

Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.

addresses: CWE-306

Guarantees critical functions are protected by mandatory invocation of the access control mechanism.

References