Plattform
wordpress
Komponente
json-api-user
Behoben in
3.9.4
A critical privilege escalation vulnerability (CVE-2024-6624) has been identified in the JSON API User plugin for WordPress, affecting versions up to and including 3.9.3. This flaw allows unauthenticated attackers to register as administrators on the site, effectively gaining full control. The vulnerability stems from improper controls on custom user meta fields and requires the JSON API plugin to also be installed. A patch is available to address this issue.
The impact of CVE-2024-6624 is severe. An unauthenticated attacker can exploit this vulnerability to register themselves as an administrator on a WordPress site. This grants them complete control over the site, including the ability to modify content, install malicious plugins, access sensitive data, and potentially compromise the entire server. The requirement for the JSON API plugin to also be installed broadens the attack surface, as many WordPress sites utilize this plugin for API functionality. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale compromise if exploited.
CVE-2024-6624 was publicly disclosed on 2024-07-11. While no public proof-of-concept (PoC) has been widely released, the ease of exploitation makes it likely that attackers are actively scanning for vulnerable instances. The vulnerability's criticality and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress sites using the JSON API User plugin, particularly those running versions 3.9.3 or earlier, are at significant risk. Shared hosting environments are especially vulnerable, as attackers can potentially compromise multiple sites from a single point of entry. Sites that rely heavily on the JSON API plugin for custom functionality are also at increased risk.
• wordpress / composer / npm:
wp plugin list | grep "json-api-user"• wordpress / composer / npm:
wp plugin update json-api-user --all• wordpress / composer / npm:
wp plugin status json-api-user• wordpress / composer / npm:
wp option get user_registration• generic web: Check WordPress access logs for unusual user registration attempts, especially those originating from unknown IP addresses.
disclosure
Exploit-Status
EPSS
43.45% (97% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-6624 is to immediately upgrade the JSON API User plugin to a version beyond 3.9.3. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict user registration policies and limiting access to sensitive areas of the site can help reduce the potential impact. Monitor WordPress access logs for suspicious registration attempts. After upgrading, confirm the fix by attempting to register a new user without authentication and verifying that the registration fails.
Aktualisieren Sie den JSON API User Plugin auf die neueste verfügbare Version. Dies behebt die Privilege Escalation-Schwachstelle, die es nicht authentifizierten Angreifern ermöglicht, sich als Administratoren auf der Seite zu registrieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-6624 is a critical vulnerability in the JSON API User plugin for WordPress versions up to 3.9.3, allowing unauthenticated attackers to register as administrators.
Yes, if you are using the JSON API User plugin in WordPress and are running a version 3.9.3 or earlier, you are affected by this vulnerability.
Upgrade the JSON API User plugin to a version greater than 3.9.3. If immediate upgrade is not possible, temporarily disable the plugin.
While no public PoC exists, the vulnerability's criticality and ease of exploitation suggest a high probability of active exploitation.
Refer to the official JSON API User plugin website or the WordPress security advisory for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.