CVE-2025-6441

Sažetak

The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation due to a missing capability check on the `webinarignition_sign_in_support_staff` and `webinarignition_register_support` functions in all versions up to, and including, 4.03.31. This makes it possible for unauthenticated attackers to generate login tokens for arbitrary WordPress users under certain circumstances, issuing authorization cookies which can lead to authentication bypass.

Reference

https://plugins.trac.wordpress.org/browser/webinar-ignition/trunk/inc/class-webinarignition.php#L549
https://plugins.trac.wordpress.org/browser/webinar-ignition/trunk/inc/class.WebinarignitionAjax.php#L769
https://plugins.trac.wordpress.org/browser/webinar-ignition/trunk/inc/class.WebinarignitionManager.php#L1040
https://plugins.trac.wordpress.org/browser/webinar-ignition/trunk/inc/class.WebinarignitionManager.php#L53
https://www.wordfence.com/threat-intel/vulnerabilities/id/52c19707-df18-4239-af46-12ea5ee86a4b?source=cve

CVSS

Base:	9.8
Impact:	5.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

25-07-2025 - 15:29

Objavljeno

24-07-2025 - 10:15