Plattform
wordpress
Komponente
devvn-image-hotspot
Behoben in
1.2.6
CVE-2024-7656 describes a PHP Object Injection vulnerability discovered in the Image Hotspot by DevVN WordPress plugin. This vulnerability allows authenticated attackers with Author-level access or higher to inject malicious PHP objects, potentially compromising the WordPress site. The vulnerability impacts versions of the plugin up to and including 1.2.5. A fix is available via plugin update.
The PHP Object Injection vulnerability in Image Hotspot allows an authenticated attacker to execute arbitrary code on the server. While no known PHP Object Poisoning (POP) chain exists within the vulnerable plugin itself, the presence of such a chain in another installed plugin or theme could significantly amplify the impact. A successful exploit could lead to the deletion of critical files, exfiltration of sensitive data stored within the WordPress installation (user credentials, database connection strings, configuration files), and ultimately, complete server compromise. The attacker could establish a persistent backdoor, enabling them to maintain unauthorized access and control over the affected WordPress site.
CVE-2024-7656 was publicly disclosed on August 24, 2024. Currently, no public proof-of-concept (PoC) exploits have been released, but the vulnerability's nature makes it likely that one will emerge. The vulnerability has not yet been added to the CISA KEV catalog. Given the ease of exploitation once a POP chain is identified, and the widespread use of WordPress, this vulnerability warrants close attention.
WordPress websites utilizing the Image Hotspot by DevVN plugin, particularly those with multiple plugins or themes installed, are at elevated risk. Shared hosting environments where multiple WordPress instances share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'devvn_ihotspot_shortcode_func' /var/www/html/wp-content/plugins/image-hotspot/• wordpress / composer / npm:
wp plugin list --status=active | grep image-hotspot• wordpress / composer / npm:
wp plugin update image-hotspotdisclosure
Exploit-Status
EPSS
1.63% (82% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-7656 is to immediately upgrade the Image Hotspot by DevVN plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'devvnihotspotshortcode_func' function. While not a complete fix, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block deserialization attacks targeting WordPress plugins can provide an additional layer of defense. Monitor WordPress logs for suspicious activity related to object deserialization and PHP execution.
Actualice el plugin Image Hotspot by DevVN a la última versión disponible. Esto solucionará la vulnerabilidad de inyección de objetos PHP.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-7656 is a HIGH severity vulnerability in the Image Hotspot WordPress plugin that allows authenticated attackers to inject PHP objects, potentially leading to code execution.
You are affected if you are using Image Hotspot by DevVN plugin versions 1.2.5 or earlier. Immediately check your plugin versions and update if necessary.
Update the Image Hotspot by DevVN plugin to the latest available version. If upgrading is not possible, temporarily disable the plugin or restrict access to the vulnerable function.
While no active exploitation has been confirmed, the vulnerability's potential impact makes it a likely target for future attacks.
Refer to the DevVN website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-7656.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.