CVE-2024-9947
ProfilePress - Pro <= 4.11.1 - Authentication Bypass via WordPress.com OAuth providerThe ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
We have discovered 7,668 live websites that are affected by CVE-2024-9947.
Affected Software
| Product |  ProfilePress |
| Category | Wordpress Plugins |
| Vulnerable Domains | 7,668 live websites (16% of ProfilePress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 72 versions ( 61% of all versions) |
Common Weakness Enumeration
CWE-287 Improper AuthenticationDetails
- Published - Oct 23, 2024
- Updated - Feb 19, 2025
Credits
- wesley (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-9947 United States | 1,912 websites |
 Japan | 1,270 websites |
 Germany | 692 websites |
 France | 359 websites |
 Italy | 328 websites |
 Russia | 251 websites |
 GB | 249 websites |
 Spain | 236 websites |
 Brazil | 215 websites |
 Poland | 215 websites |
Website Distribution by TLD
Number of websites using CVE-2024-9947| .com | 3,411 websites |
| .de | 369 websites |
| .net | 299 websites |
| .org | 299 websites |
| .it | 238 websites |
| .jp | 236 websites |
| .ru | 198 websites |
| .com.br | 196 websites |
| .pl | 173 websites |
| .es | 136 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-9947
Top websites that are affected by CVE-2024-9947. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.com | Japan | **,*** | |
| ****************.com | United States | **,*** | |
| ************.com | United States | **,*** | |
| ************.com | Japan | **,*** | |
| *********.com | United States | **,*** | |
| ***********.****.org | United States | **,*** | |
| **************.com | United States | **,*** | |
| ***********.net |  Turkey | **,*** | |
| ***.sucks | United States | **,*** | |
| ****************.com | United States | **,*** |
FAQ
CVE-2024-9947 is Improper Authentication in ProfilePress
A total of 7,668 websites have been identified as vulnerable to CVE-2024-9947, based on global website indexing conducted by WebTechSurvey.
The ProfilePress is affected by the CVE-2024-9947 vulnerability.
ProfilePress versions up to and including 4.11.1 are vulnerable to CVE-2024-9947.