Platform
wordpress
Component
customify-sites
Fixed in
0.0.10
CVE-2024-33644 describes a Remote Code Execution (RCE) vulnerability within the Customify Site Library, a WordPress plugin. This vulnerability allows attackers to inject arbitrary code, potentially leading to complete system compromise. It impacts versions of the plugin up to and including 0.0.9, with a fix available in version 0.0.10.
The impact of CVE-2024-33644 is severe. Successful exploitation allows an attacker to execute arbitrary code on the server hosting the WordPress site. This could involve gaining unauthorized access to sensitive data, modifying website content, installing malware, or even taking complete control of the server. Given the plugin's functionality, attackers could potentially target user data, configuration files, and other critical assets. The potential blast radius extends to any connected systems accessible from the compromised WordPress server.
CVE-2024-33644 was publicly disclosed on 2024-05-17. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been widely publicized at the time of writing, the ease of code injection in similar vulnerabilities suggests a high likelihood of PoCs emerging. Active exploitation campaigns are possible, particularly targeting sites running older, unpatched versions of the plugin.
Exploit Status
EPSS
17.04% (95% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-33644 is to immediately upgrade the Customify Site Library plugin to version 0.0.10 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web application firewalls (WAFs) configured to detect and block code injection attempts can provide an additional layer of protection. Monitor WordPress plugin activity logs for suspicious code execution patterns. After upgrading, verify the fix by attempting to trigger the vulnerability using known attack vectors (if available) and confirming that the code injection is prevented.
Update the Customify Site Library plugin to the latest available version. The Remote Code Execution (RCE) vulnerability exists in older versions. Updating will resolve the issue.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-33644 is a critical Remote Code Execution vulnerability in the Customify Site Library WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using Customify Site Library version 0.0.9 or earlier. Check your plugin versions immediately.
Upgrade Customify Site Library to version 0.0.10 or later to resolve the vulnerability. Disable the plugin temporarily if upgrading is not immediately possible.
While no widespread exploitation has been confirmed, the high CVSS score and ease of code injection suggest a high likelihood of exploitation.
Refer to the Customify website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.