Platform
wordpress
Component
salesking
Fixed in
1.6.16
CVE-2024-22157 describes an Improper Privilege Management vulnerability within WebWizards SalesKing, enabling Privilege Escalation. This flaw allows attackers to bypass intended access controls and potentially gain administrative access. The vulnerability affects SalesKing versions up to 1.6.15, and a patch is available in version 1.6.16.
Successful exploitation of CVE-2024-22157 allows an attacker to escalate their privileges within the SalesKing WordPress plugin. This could lead to complete control over the WordPress site, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and even compromise the underlying server. The impact is particularly severe because SalesKing is often used for managing customer relationships and sales processes, making the data at risk highly valuable. A compromised SalesKing instance could be used as a launching point for further attacks against the entire network, demonstrating a significant blast radius.
CVE-2024-22157 was publicly disclosed on 2024-05-17. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's CRITICAL CVSS score suggests a high probability of exploitation if a suitable exploit is developed and released. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
Exploit Status
EPSS
0.52% (67% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-22157 is to immediately upgrade SalesKing to version 1.6.16 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting access to SalesKing administrative functions based on user roles and implementing strict input validation to prevent malicious code injection. While a WAF might offer some protection, it is not a substitute for patching. After upgrading, verify the fix by attempting to access administrative functions with a non-administrative user account and confirming that access is denied.
Update the SalesKing plugin to the latest available version. The unauthenticated privilege escalation vulnerability is fixed in versions later than 1.6.15. To update, go to the WordPress admin panel, 'Plugins' section, and search for 'SalesKing' to update it.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-22157 is a critical vulnerability in SalesKing allowing attackers to gain elevated privileges, potentially compromising the entire WordPress site. It affects versions up to 1.6.15.
Yes, if you are using SalesKing version 1.6.15 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade SalesKing to version 1.6.16 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting access based on user roles.
As of now, there are no publicly known exploits, but the CRITICAL severity suggests a high likelihood of exploitation if a suitable exploit is developed.
Refer to the official SalesKing website or their WordPress plugin page for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.