cleantalk
Vulnerabilities and Security Researches

WatchTowerHQ, CVE-2024-9933

CVE, Research URL

CVE-2024-9933

Home page URL

Security reports for WatchTowerHQ

Application

WatchTowerHQ

Published on
Oct 26, 2024
Research Description
The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.6. This is due to the 'watchtower_ota_token' default value is empty, and the not empty check is missing in the 'Password_Less_Access::login' function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user.
Affected versions
Min -, max 3.10.4.
Status
vulnerable
Previous vulnerability researches
WatchTowerHQ (CVE-2023-25701) , Jun 07, 2024
WatchTowerHQ (CVE-2022-44584) , Jun 07, 2024
WatchTowerHQ (CVE-2022-44583) , Jun 07, 2024
WatchTowerHQ (CVE-2024-9933) , Oct 27, 2024
New vulnerability
Live Sports Streamthunder (CVE-2025-49967) , Jun 25, 2025
WP Voting Contest Lite (CVE-2025-50017) , Jun 25, 2025
Automatically Hierarchic Categories in Menu (CVE-2025-50048) , Jun 24, 2025
WP Visitor Statistics (Real Time Traffic) (CVE-2025-49996) , Jun 24, 2025
Video List Manager (CVE-2025-49986) , Jun 24, 2025