Platform
wordpress
Component
xserver-migrator
Fixed in
1.6.2
CVE-2024-33913 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Xserver Migrator WordPress plugin. This vulnerability allows an attacker to trigger arbitrary file uploads on vulnerable systems, potentially leading to remote code execution or other malicious actions. The vulnerability affects versions of Xserver Migrator up to and including 1.6.1, and a patch is available in version 1.6.2.
The impact of this CSRF vulnerability is significant. An attacker can craft a malicious request that, when triggered by a logged-in user of the Xserver Migrator plugin, will result in the upload of a file of the attacker's choosing. This file could contain a web shell, malware, or other malicious code. Successful exploitation could lead to complete compromise of the WordPress site, including data theft, defacement, or the installation of a persistent backdoor. The attacker does not need to authenticate to exploit the vulnerability; only a user with valid session credentials on the target WordPress site is required.
This vulnerability was publicly disclosed on May 2, 2024. While no active exploitation campaigns have been publicly reported at the time of writing, the ease of exploitation and the CRITICAL CVSS score suggest a high probability of exploitation. The CSRF nature of the vulnerability means that attackers can leverage social engineering or other techniques to trick users into triggering the malicious upload. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-33913 is to immediately upgrade the Xserver Migrator plugin to version 1.6.2 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing the vulnerable parameters. Specifically, look for requests with suspicious file extensions or unusual file names being sent to the file upload endpoint. Additionally, review WordPress user permissions to ensure that only necessary users have the ability to upload files. After upgrading, confirm the fix by attempting a file upload with a known malicious extension and verifying that it is rejected.
Actualice el plugin Xserver Migrator a la última versión disponible. La vulnerabilidad CSRF que permite la subida de archivos arbitrarios ha sido corregida en versiones posteriores a la 1.6.1. Consulte el registro de cambios del plugin para obtener más detalles sobre la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-33913 is a critical Cross-Site Request Forgery (CSRF) vulnerability in the Xserver Migrator WordPress plugin that allows attackers to upload arbitrary files.
Yes, if you are using Xserver Migrator version 1.6.1 or earlier, you are affected by this vulnerability.
Upgrade the Xserver Migrator plugin to version 1.6.2 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
While no active exploitation campaigns have been publicly confirmed, the high CVSS score and ease of exploitation suggest a high probability of exploitation.
Refer to the Xserver Migrator plugin documentation and website for the official advisory and release notes for version 1.6.2.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.