Plattform
php
Komponente
wp-cli/wp-cli
Behoben in
2.5.1
2.5.0
CVE-2021-29504 is a critical remote code execution (RCE) vulnerability affecting versions of wp-cli up to and including v2.4.1. This flaw stems from improper error handling during HTTPS request management, allowing attackers to bypass certificate verification. Successful exploitation enables attackers to impersonate update servers and push malicious updates to WordPress instances or even to the wp-cli agent itself, potentially leading to complete system compromise. A patch is available in version 2.5.0.
The impact of CVE-2021-29504 is severe. An attacker who can intercept communication between a wp-cli agent and an update server can disable certificate verification. This allows them to impersonate legitimate update servers and deliver malicious code disguised as WordPress updates or even malicious updates to the wp-cli tool itself. This could lead to arbitrary code execution on the target system, granting the attacker full control. The blast radius extends to any WordPress instance managed by a vulnerable wp-cli agent, potentially impacting numerous websites and their associated data. This vulnerability is particularly concerning given the widespread use of wp-cli for WordPress management tasks.
CVE-2021-29504 was publicly disclosed on May 19, 2021. While no active exploitation campaigns have been definitively confirmed, the critical severity and potential for remote code execution make it a high-priority vulnerability. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress developers and system administrators who rely on wp-cli for managing WordPress installations are at significant risk. Shared hosting environments where wp-cli is used to manage multiple WordPress instances are particularly vulnerable, as a compromise of one wp-cli agent could potentially impact numerous websites. Users of older wp-cli versions who have not implemented strict access controls are also at increased risk.
• linux / server:
find /usr/local/bin/wp -type f -mtime -7 -print• php:
composer show wp-cli• generic web:
curl -I https://raw.githubusercontent.com/wp-cli/builds/v2.4.1/phar/wp-cli.phar | grep 'Server:'disclosure
Exploit-Status
EPSS
1.15% (78% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-29504 is to upgrade to wp-cli version 2.5.0 or later, which contains the fix. If an immediate upgrade is not possible due to compatibility issues, consider temporarily disabling automatic updates via wp-cli. While not a complete solution, this can reduce the attack surface. Carefully review any updates manually before applying them. Monitor network traffic for suspicious connections to update servers. Implement strict access controls to limit who can execute wp-cli commands. After upgrading, confirm the fix by attempting an HTTPS update and verifying that certificate verification is still enforced.
Aktualisieren Sie WP-CLI auf Version 2.5.0 oder höher. Wenn eine Aktualisierung nicht möglich ist, vermeiden Sie die Durchführung von HTTPS-Anfragen, bei denen die Zertifikatsvalidierung kritisch ist. Wenn Sie eine Version vor 2.5.0 verwenden, gibt es keine direkte Lösung, aber Sie können ein Upgrade auf die neueste verfügbare Version in Betracht ziehen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-29504 is a critical remote code execution vulnerability in wp-cli versions up to 2.4.1. It allows attackers to impersonate update servers and push malicious updates.
You are affected if you are using wp-cli version 2.4.1 or earlier. Check your version with composer show wp-cli.
Upgrade to wp-cli version 2.5.0 or later using composer update wp-cli. Consider disabling automatic updates temporarily if an immediate upgrade is not possible.
While no confirmed active exploitation campaigns are known, the critical severity makes it a high-priority vulnerability and exploitation is possible.
Refer to the official wp-cli security advisory: https://github.com/wp-cli/builds/issues/623
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.