Plattform
wordpress
Komponente
wpcom-member
Behoben in
1.5.3
CVE-2024-7493 is a privilege escalation vulnerability affecting the WPCOM Member plugin for WordPress. This flaw allows unauthenticated attackers to elevate their user role to administrator during the registration process, granting them complete control over the affected WordPress site. The vulnerability impacts versions up to and including 1.5.2.1, and a patch is available from the plugin developers.
The impact of CVE-2024-7493 is severe. Successful exploitation allows an attacker to gain full administrative access to a WordPress site without requiring any prior authentication. This grants them the ability to modify content, install malicious plugins, steal sensitive data (user credentials, financial information), and potentially compromise the entire server. The ease of exploitation, requiring only a successful registration, significantly broadens the attack surface and increases the risk of widespread compromise for WordPress installations using the vulnerable plugin.
CVE-2024-7493 was publicly disclosed on 2024-09-06. No known public exploits or active campaigns have been reported at the time of writing, but the ease of exploitation makes it a likely target. It is not currently listed on the CISA KEV catalog. The vulnerability's simplicity suggests a high probability of exploitation if left unpatched.
WordPress websites utilizing the WPCOM Member plugin are at risk. Specifically, sites running WordPress versions where the plugin is commonly used, and those with limited security monitoring or automated update processes, are particularly vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may also be at increased risk if updates are not promptly applied.
• wordpress / composer / npm:
wp plugin list --status=inactive | grep wpcom-member• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status wpcom-member• wordpress / composer / npm:
wp option get admin_email #Check for unusual admin email addresses after registrationdisclosure
Exploit-Status
EPSS
1.02% (77% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-7493 is to immediately update the WPCOM Member plugin to a version higher than 1.5.2.1. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent new registrations. While a direct WAF rule is difficult to implement, monitoring for unusual user registration patterns (e.g., rapid role changes) can provide early detection. After upgrading, verify the fix by attempting a new user registration and confirming that the user role is not automatically elevated to administrator.
Aktualisieren Sie das WPCOM Member Plugin auf die neueste verfügbare Version. Version 1.5.2.2 oder höher behebt diese Privilege Escalation Schwachstelle. Dies verhindert, dass nicht authentifizierte Benutzer sich als Administratoren registrieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-7493 is a critical vulnerability in the WPCOM Member plugin for WordPress allowing unauthenticated attackers to gain administrator privileges during user registration.
You are affected if your WordPress site uses the WPCOM Member plugin version 1.5.2.1 or earlier. Check your plugin version and update immediately.
Update the WPCOM Member plugin to a version higher than 1.5.2.1. If immediate upgrade is not possible, temporarily disable the plugin.
While no active exploitation has been confirmed, the vulnerability's simplicity makes it a likely target. Monitor your site closely.
Refer to the official WPCOM Member plugin website or WordPress.org plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.