Plateforme
wordpress
Composant
get-a-quote-button-for-woocommerce
Corrigé dans
1.4.1
CVE-2024-11034 describes an arbitrary shortcode execution vulnerability discovered in the Request a Quote for WooCommerce and Elementor plugin. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially compromising the WordPress site. The vulnerability affects versions up to 1.4. A patch is available from the plugin developer.
The arbitrary shortcode execution vulnerability poses a significant risk to WordPress sites utilizing the affected plugin. An attacker could leverage this to inject malicious content, redirect users to phishing sites, deface the website, or even gain remote code execution capabilities. The blast radius extends to any user interacting with the quote form, and successful exploitation could lead to data theft or complete site takeover. This vulnerability shares similarities with other shortcode-related vulnerabilities where insufficient input validation allows for code injection.
This vulnerability was publicly disclosed on November 23, 2024. While no public proof-of-concept (PoC) has been widely released, the ease of exploitation makes it likely that attackers are actively scanning for vulnerable instances. The vulnerability is not currently listed on the CISA KEV catalog. Due to the plugin's popularity, it is considered a high-priority vulnerability requiring immediate attention.
Websites using the Request a Quote for WooCommerce and Elementor plugin, particularly those running older versions (≤1.4), are at risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates. Sites with custom integrations or modifications to the plugin’s functionality may also be at increased risk.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/request-a-quote-for-woocommerce/• wordpress / composer / npm:
wp plugin list --status=all | grep 'request-a-quote-for-woocommerce'• wordpress / composer / npm:
wp plugin update request-a-quote-for-woocommercedisclosure
Statut de l'Exploit
EPSS
0.60% (percentile 69%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to immediately upgrade the Request a Quote for WooCommerce and Elementor plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible, consider temporarily disabling the plugin or restricting access to the quote form. As a temporary workaround, implement a Web Application Firewall (WAF) rule to block requests containing suspicious shortcodes in the firecontactform AJAX action. Regularly scan your WordPress installation for vulnerable plugins using security plugins or command-line tools.
Actualice el plugin Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-11034 is a HIGH severity vulnerability allowing unauthenticated attackers to execute arbitrary shortcodes in the Request a Quote for WooCommerce plugin, potentially leading to code execution.
You are affected if you are using the Request a Quote for WooCommerce plugin version 1.4 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Request a Quote for WooCommerce plugin to the latest version available from the WordPress plugin repository. If upgrading is not possible, disable the plugin or implement a WAF rule.
While no widespread exploitation has been confirmed, the ease of exploitation suggests attackers are likely scanning for vulnerable instances. Proactive patching is crucial.
Check the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.