Platform
wordpress
Component
cwicly
Fixed in
1.4.1
CVE-2024-24707 describes a Remote Code Execution (RCE) vulnerability within the Cwicly Builder WordPress plugin. This flaw allows attackers to inject arbitrary code, potentially leading to complete server compromise. The vulnerability affects versions of Cwicly Builder up to and including 1.4.0.2, and a fix is available in version 1.4.1.
The impact of this RCE vulnerability is severe. An attacker could leverage it to execute arbitrary commands on the web server hosting the WordPress site. This could lead to data theft, website defacement, malware installation, or complete server takeover. Given the plugin's functionality as a visual builder, the attack surface is broad, potentially affecting any site using Cwicly Builder. The ability to execute arbitrary code bypasses standard WordPress security measures, making this a high-priority concern.
This vulnerability was publicly disclosed on April 3, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. No KEV listing is currently available. Public proof-of-concept code is likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.42% (62% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade Cwicly Builder to version 1.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the Cwicly Builder functionality. While a direct WAF rule is difficult to implement without specific code injection patterns, monitoring for unusual file uploads or execution attempts related to Cwicly Builder can provide early detection. Review WordPress user permissions and ensure the principle of least privilege is enforced.
Update the Cwicly plugin to the latest available version. The Remote Code Execution (RCE) vulnerability is fixed in versions later than 1.4.0.2. Refer to the plugin documentation for detailed instructions on how to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-24707 is a critical Remote Code Execution vulnerability in the Cwicly Builder WordPress plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using Cwicly Builder versions 1.4.0.2 or earlier. Upgrade to 1.4.1 to resolve the issue.
Upgrade the Cwicly Builder plugin to version 1.4.1 or later through the WordPress plugin management interface.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Cwicly website and WordPress plugin repository for the latest advisory and update information: https://www.cwicly.com/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.