Plataforma
wordpress
Componente
post-saint
Corregido en
1.3.2
CVE-2024-12471 describes an arbitrary file access vulnerability discovered in the Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator plugin for WordPress. This flaw allows authenticated attackers with subscriber-level access or higher to upload arbitrary files, potentially enabling remote code execution. The vulnerability impacts versions of the plugin up to and including 1.3.1. A patch is expected to address this issue.
The primary impact of CVE-2024-12471 is the potential for remote code execution (RCE) on WordPress servers. An attacker, possessing subscriber-level access or higher, can exploit this vulnerability to upload malicious files, such as web shells or backdoors. Successful exploitation could grant the attacker complete control over the affected WordPress instance, enabling them to modify website content, steal sensitive data (user credentials, database information), or even pivot to other systems on the network. The AI generator's popularity increases the potential blast radius, as many websites utilize it for content creation.
This vulnerability has been publicly disclosed and assigned a CVSS score of 8.8 (HIGH). While no public proof-of-concept (PoC) has been confirmed, the ease of exploitation, combined with the plugin's popularity, suggests a potential for active exploitation. The vulnerability has not yet been added to the CISA KEV catalog. Further monitoring is recommended to assess the evolving threat landscape.
Websites utilizing the Post Saint AI Generator plugin, particularly those running vulnerable versions (≤1.3.1), are at risk. Shared hosting environments are especially vulnerable, as attackers could potentially exploit this vulnerability to compromise multiple websites hosted on the same server. WordPress sites with weak user access controls, allowing subscriber-level users to upload files, are also at increased risk.
• wordpress / composer / npm:
grep -r 'add_image_to_library' /var/www/html/wp-content/plugins/post-saint-ai-generator/• wordpress / composer / npm:
wp plugin list --status=active | grep 'post-saint-ai-generator'• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=add_image_to_library | grep -i 'content-type'disclosure
Estado del Exploit
EPSS
62.66% (98% percentil)
CISA SSVC
Vector CVSS
The immediate mitigation for CVE-2024-12471 is to upgrade the Post Saint AI Generator plugin to a patched version as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, implement strict file type validation and capability checks on the addimageto_library AJAX action function within the plugin's code, if feasible. Web application firewalls (WAFs) can be configured to block suspicious file uploads and requests targeting the vulnerable endpoint. Monitor WordPress logs for unusual file upload activity.
Actualice el plugin Post Saint a la última versión disponible. Esto solucionará la vulnerabilidad de carga de archivos arbitrarios.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-12471 is a vulnerability in the Post Saint AI Generator WordPress plugin allowing authenticated attackers to upload arbitrary files, potentially leading to remote code execution.
You are affected if you are using Post Saint AI Generator version 1.3.1 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Post Saint AI Generator plugin to the latest available version. If a patch is not yet available, disable the plugin as a temporary workaround.
While no confirmed exploitation has been publicly reported, the vulnerability's ease of exploitation suggests a potential for active exploitation. Monitor your systems closely.
Refer to the official Post Saint AI Generator website or WordPress plugin repository for updates and advisories regarding CVE-2024-12471.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.