Plattform
wordpress
Komponente
favicon-generator
Behoben in
1.5.1
A critical vulnerability, CVE-2024-7568, affects the Favicon Generator plugin for WordPress versions up to 1.5. This vulnerability allows an attacker to delete arbitrary files on the server through Cross-Site Request Forgery (CSRF) attacks. Due to the plugin author removing the functionality and closing the plugin, a direct upgrade is not possible; mitigation strategies focus on alternative security measures.
The Arbitrary File Access vulnerability in Favicon Generator allows unauthenticated attackers to delete files on the server if they can trick a site administrator into clicking a malicious link. This could lead to complete site compromise, data loss, or denial of service. An attacker could delete core WordPress files, plugin configurations, or even critical system files, effectively taking control of the server. The impact is particularly severe as the plugin's functionality is now discontinued, leaving users with no direct patch option.
CVE-2024-7568 was publicly disclosed on August 24, 2024. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that one will emerge. It is not currently listed on CISA KEV. The plugin's closure significantly reduces the likelihood of active exploitation, but the potential for opportunistic attacks remains.
WordPress sites using the Favicon Generator plugin, particularly those with administrative users who may be susceptible to social engineering attacks. Shared hosting environments are at increased risk, as a compromised site can potentially impact other users on the same server.
• wordpress / composer / npm:
grep -r "output_sub_admin_page_0" /var/www/html/wp-content/plugins/favicon-generator/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin.php?page=favicon-generator-settings&action=delete_file # Check for lack of CSRF protectiondisclosure
Exploit-Status
EPSS
0.43% (63% Perzentil)
CISA SSVC
CVSS-Vektor
Since a direct upgrade is not possible due to the plugin being closed, mitigation focuses on preventing exploitation. Implement Web Application Firewall (WAF) rules to block suspicious requests targeting the vulnerable outputsubadminpage0 function. Regularly monitor file system activity for unauthorized deletions. Consider using a security plugin with CSRF protection capabilities. Thoroughly review any WordPress plugins before installation and ensure they are from reputable sources. After implementing WAF rules, verify their effectiveness by simulating a CSRF attack.
Dieses Plugin wurde vom Autor eingestellt. Es wird empfohlen, ein alternatives Plugin für die Verwaltung von Favicons zu suchen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-7568 is a CRITICAL vulnerability in the Favicon Generator WordPress plugin allowing attackers to delete files via CSRF. It affects versions up to 1.5.
You are affected if your WordPress site uses the Favicon Generator plugin version 1.5 or earlier. The plugin is now closed, so direct patching is not possible.
Due to the plugin being closed, upgrade is not possible. Mitigate by implementing WAF rules, monitoring file system activity, and using CSRF protection plugins.
No active exploitation has been confirmed, but the vulnerability's nature makes it a potential target for opportunistic attacks.
The plugin author has closed the plugin; official advisories are limited. Consult WordPress security blogs and vulnerability databases for updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.