Plattform
wordpress
Komponente
frontend-dashboard
Behoben in
2.2.5
CVE-2024-8268 is a critical Remote Code Execution (RCE) vulnerability affecting the Frontend Dashboard plugin for WordPress. This vulnerability allows authenticated users with subscriber-level access or higher to execute arbitrary code on the server. The issue stems from insufficient input validation within the ajax_request() function, enabling attackers to call arbitrary functions. Affected versions include those prior to 2.2.5, with a fix released in version 2.2.5.
The impact of CVE-2024-8268 is significant. An attacker exploiting this vulnerability can execute arbitrary code on the WordPress server with the privileges of the WordPress user. This could lead to complete control of the website, including data theft, modification, and defacement. Attackers could also leverage this access to move laterally within the network if the WordPress server has access to other systems. The ability to escalate privileges from a subscriber account to an administrator account makes this vulnerability particularly dangerous, as it bypasses typical access controls.
CVE-2024-8268 was publicly disclosed on 2024-09-10. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the potential impact make it a high-priority vulnerability. No Proof of Concept (PoC) code has been publicly released, but the vulnerability's nature suggests that it is relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.
Websites using the Frontend Dashboard plugin, particularly those with subscriber-level users who have access to the frontend dashboard functionality, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'ajax_request(' /var/www/html/wp-content/plugins/frontend-dashboard/• wordpress / composer / npm:
wp plugin list --status=active | grep 'frontend-dashboard'• wordpress / composer / npm:
wp plugin update frontend-dashboard --version=2.2.5• generic web: Check WordPress plugin directory for reports of exploitation or discussions related to CVE-2024-8268.
disclosure
Exploit-Status
EPSS
0.36% (58% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-8268 is to immediately upgrade the Frontend Dashboard plugin to version 2.2.5 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider restricting access to the ajaxrequest() function. While not a complete fix, this can limit the potential for exploitation. Web Application Firewalls (WAFs) configured to inspect and filter requests to the ajaxrequest() endpoint could also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to trigger the vulnerable function with a malicious payload and verifying that it is properly sanitized.
Actualice el plugin Frontend Dashboard a la versión 2.2.5 o superior. Esta versión contiene una corrección para la vulnerabilidad de ejecución de código arbitrario. La actualización se puede realizar desde el panel de administración de WordPress.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-8268 is a Remote Code Execution vulnerability in the Frontend Dashboard WordPress plugin, allowing authenticated subscribers to execute arbitrary code.
You are affected if you are using the Frontend Dashboard plugin version 2.2.4 or earlier.
Upgrade the Frontend Dashboard plugin to version 2.2.5 or later to resolve the vulnerability.
While no confirmed active exploitation campaigns are known, the vulnerability's ease of exploitation makes it a potential target.
Refer to the Frontend Dashboard plugin's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.