Platform
wordpress
Component
wooevents
Fixed in
4.1.3
CVE-2024-8671 is a critical vulnerability affecting the WooEvents - Calendar and Event Booking plugin for WordPress. This vulnerability allows for arbitrary file overwrites due to insufficient file path validation. Successful exploitation can lead to remote code execution, potentially granting attackers complete control over the WordPress instance. The vulnerability impacts versions of WooEvents up to and including 4.1.2, and a patch is available.
The arbitrary file overwrite capability presents a significant risk. An attacker could overwrite critical WordPress configuration files, such as wp-config.php, which contains database credentials and other sensitive information. By deleting this file, an attacker can trigger a situation where they can then overwrite it with a malicious version, effectively gaining control of the WordPress site. This could lead to data breaches, website defacement, malware injection, and complete compromise of the server. The ease of exploitation, combined with the plugin's popularity, makes this a high-priority vulnerability.
This vulnerability was publicly disclosed on September 24, 2024. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the plugin's widespread use make it a likely target. The severity is considered CRITICAL due to the potential for remote code execution. No KEV listing is currently available.
Exploit Status
EPSS
7.69% (92% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade to a patched version of the WooEvents plugin. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These include restricting file upload permissions to prevent attackers from overwriting sensitive files. Implementing a Web Application Firewall (WAF) with rules to block suspicious file overwriting attempts can also provide an additional layer of defense. Regularly review file permissions and ensure they are set to the most restrictive possible settings. After upgrade, confirm by attempting to trigger the vulnerable endpoint with a crafted payload and verifying that the file overwrite is prevented.
Update the WooEvents plugin to the latest available version. The vulnerability allows for arbitrary file overwrite, which could lead to remote code execution. The update corrects the insufficient file path validation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8671 is a critical vulnerability in the WooEvents plugin allowing attackers to overwrite files, potentially leading to remote code execution. It affects versions up to 4.1.2.
If you are using WooEvents version 4.1.2 or earlier, you are vulnerable. Check your plugin version and upgrade immediately.
Upgrade to the latest version of the WooEvents plugin. If immediate upgrade is not possible, implement temporary workarounds like WAF rules and file permission restrictions.
While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the WooEvents official website and WordPress plugin repository for the latest security advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.