CVE-2024-9947
ProfilePress - Pro <= 4.11.1 - Authentication Bypass via WordPress.com OAuth providerThe ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
We have discovered 11,021 live websites that are affected by CVE-2024-9947.
Affected Software
| Product |  ProfilePress |
| Category | Wordpress Plugins |
| Vulnerable Domains | 11,021 live websites (19.84% of ProfilePress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 75 versions ( 66.37% of all versions) |
Common Weakness Enumeration
CWE-287 Improper AuthenticationDetails
- Published - Oct 23, 2024
- Updated - Feb 19, 2025
Credits
- wesley (finder)
CWE
CVE References
CWE References
CVE-2024-9947 usage by Country
 United States | 3,783 websites |
 Japan | 1,554 websites |
 Germany | 1,168 websites |
 France | 587 websites |
 Russia | 317 websites |
 Poland | 284 websites |
 GB | 281 websites |
 Brazil | 251 websites |
 Italy | 241 websites |
 Spain | 238 websites |
CVE-2024-9947 usage by TLD
| .com | 5,025 websites |
| .de | 540 websites |
| .org | 459 websites |
| .net | 418 websites |
| .com.br | 356 websites |
| .jp | 314 websites |
| .ru | 262 websites |
| .pl | 251 websites |
| .it | 220 websites |
| .co.uk | 181 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-9947
Top websites that are affected by CVE-2024-9947. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | *,*** | |
| **********.com | United States | *,*** | |
| *********.com | Japan | **,*** | |
| ****************.com | United States | **,*** | |
| ************.com | United States | **,*** | |
| ***************.net | United States | **,*** | |
| ********.com | United States | **,*** | |
| ************.com | Japan | **,*** | |
| *********.com | United States | **,*** | |
| ***********.****.org | United States | **,*** |
FAQ
CVE-2024-9947 is Improper Authentication in ProfilePress
A total of 11,021 websites have been identified as vulnerable to CVE-2024-9947, discovered through global website indexing conducted by WebTechSurvey.
ProfilePress is susceptible to CVE-2024-9947 vulnerability.
ProfilePress versions before, and including, 4.11.1 are vulnerable to CVE-2024-9947.