Platform
wordpress
Component
favicon-generator
Fixed in
1.5.1
A critical vulnerability, CVE-2024-7568, affects the Favicon Generator plugin for WordPress versions up to 1.5. This vulnerability allows an attacker to delete arbitrary files on the server through Cross-Site Request Forgery (CSRF) attacks. Due to the plugin author removing the functionality and closing the plugin, a direct upgrade is not possible; mitigation strategies focus on alternative security measures.
The Arbitrary File Access vulnerability in Favicon Generator allows unauthenticated attackers to delete files on the server if they can trick a site administrator into clicking a malicious link. This could lead to complete site compromise, data loss, or denial of service. An attacker could delete core WordPress files, plugin configurations, or even critical system files, effectively taking control of the server. The impact is particularly severe as the plugin's functionality is now discontinued, leaving users with no direct patch option.
CVE-2024-7568 was publicly disclosed on August 24, 2024. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that one will emerge. It is not currently listed on CISA KEV. The plugin's closure significantly reduces the likelihood of active exploitation, but the potential for opportunistic attacks remains.
Exploit Status
EPSS
0.43% (63% percentile)
CISA SSVC
CVSS Vector
Since a direct upgrade is not possible due to the plugin being closed, mitigation focuses on preventing exploitation. Implement Web Application Firewall (WAF) rules to block suspicious requests targeting the vulnerable outputsubadminpage0 function. Regularly monitor file system activity for unauthorized deletions. Consider using a security plugin with CSRF protection capabilities. Thoroughly review any WordPress plugins before installation and ensure they are from reputable sources. After implementing WAF rules, verify their effectiveness by simulating a CSRF attack.
This plugin has been discontinued by the author. We recommend seeking an alternative plugin for favicon management.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-7568 is a CRITICAL vulnerability in the Favicon Generator WordPress plugin allowing attackers to delete files via CSRF. It affects versions up to 1.5.
You are affected if your WordPress site uses the Favicon Generator plugin version 1.5 or earlier. The plugin is now closed, so direct patching is not possible.
Due to the plugin being closed, upgrade is not possible. Mitigate by implementing WAF rules, monitoring file system activity, and using CSRF protection plugins.
No active exploitation has been confirmed, but the vulnerability's nature makes it a potential target for opportunistic attacks.
The plugin author has closed the plugin; official advisories are limited. Consult WordPress security blogs and vulnerability databases for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.