Platform
wordpress
Component
postpage-import-export-with-custom-fields-taxonomies
Fixed in
2.0.4
CVE-2025-24677 describes a Remote Code Execution (RCE) vulnerability within the wpspin Post/Page Copying Tool. This flaw allows attackers to inject and include arbitrary code, potentially granting them complete control over the affected WordPress site. The vulnerability impacts versions from 0.0.0 through 2.0.3, and a patch is available in version 2.0.4.
The impact of this RCE vulnerability is severe. An attacker exploiting this flaw could execute arbitrary code on the web server, leading to complete system compromise. This could involve gaining unauthorized access to sensitive data, modifying website content, installing malware, or using the server as a launchpad for further attacks. The code injection mechanism allows for Remote Code Inclusion (RCI), meaning attackers can leverage external resources to execute malicious code, significantly expanding the potential attack surface. The ability to execute arbitrary code bypasses standard WordPress security measures and poses a significant risk to website integrity and data confidentiality.
CVE-2025-24677 was publicly disclosed on 2025-02-04. The vulnerability's RCE nature and the ease of code injection suggest a potentially high exploitation probability. While no public proof-of-concept (PoC) has been confirmed at the time of writing, the severity of the vulnerability makes it a likely target for exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.12% (31% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24677 is to immediately upgrade the wpspin Post/Page Copying Tool to version 2.0.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to filter potentially malicious code injection attempts can provide an additional layer of defense. Regularly review WordPress plugin configurations and ensure that only trusted plugins are installed and kept up to date.
Update the 'Post/Page Copying Tool' plugin to version 2.0.4 or higher to mitigate the Remote Code Execution (RCE) vulnerability. This update addresses the lack of control in code generation, preventing the inclusion of malicious code. Ensure you back up your website before updating the plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24677 is a critical Remote Code Execution vulnerability in the wpspin Post/Page Copying Tool, allowing attackers to execute arbitrary code on a WordPress website.
Yes, if you are using wpspin Post/Page Copying Tool versions 0.0.0 through 2.0.3, you are vulnerable to this RCE.
Upgrade the wpspin Post/Page Copying Tool to version 2.0.4 or later to remediate the vulnerability. If immediate upgrade is not possible, disable the plugin.
While no confirmed exploitation is currently public, the severity of the vulnerability suggests a high probability of exploitation.
Refer to the wpspin project's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.