Plateforme
wordpress
Composant
payu-india
Corrigé dans
3.8.4
CVE-2024-12264 is a privilege escalation vulnerability affecting the PayU CommercePro Plugin for WordPress. This vulnerability allows unauthenticated attackers to create new administrative user accounts, granting them complete control over the WordPress site. The vulnerability impacts versions of the plugin up to and including 3.8.3. A patch is expected from the vendor.
The impact of CVE-2024-12264 is severe. An attacker exploiting this vulnerability can bypass authentication and directly create a new administrator account. This grants them full control over the affected WordPress website, including access to sensitive data, modification of content, installation of malicious plugins, and potentially pivoting to other systems on the network. The lack of authentication checks on the /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost endpoints is the root cause, enabling this unauthorized account creation. This is similar in impact to other WordPress plugin vulnerabilities where unauthorized admin accounts are created, allowing for complete site takeover.
CVE-2024-12264 was publicly disclosed on 2025-01-07. The vulnerability's criticality (CVSS 9.8) indicates a high probability of exploitation. No public proof-of-concept (POC) code has been released at the time of writing, but the simplicity of the attack vector suggests that a POC is likely to emerge. It is not currently listed on CISA KEV.
WordPress websites using the PayU CommercePro Plugin are at risk, particularly those running versions 3.8.3 or earlier. Shared hosting environments are especially vulnerable, as attackers may be able to exploit the vulnerability through other compromised websites on the same server. Websites relying on the plugin for payment processing are also at increased risk due to the potential for data compromise and fraudulent transactions.
• wordpress / composer / npm:
wp plugin list | grep payu• wordpress / composer / npm:
wp plugin update payu-commercepro-plugin• wordpress / composer / npm:
grep -r 'wp_create_user' /var/www/html/wp-content/plugins/payu-commercepro-plugin/• generic web:
Check WordPress access logs for requests to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost originating from unusual IP addresses or without proper authentication headers.
disclosure
Statut de l'Exploit
EPSS
0.38% (percentile 59%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-12264 is to upgrade the PayU CommercePro Plugin to a patched version as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin to prevent exploitation. As a workaround, restrict access to the /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost endpoints using a WordPress firewall plugin or server-level access controls (e.g., .htaccess) to block unauthorized requests. After upgrading, verify the fix by attempting to access the vulnerable endpoints with an unauthenticated user and confirming that access is denied.
Mettez à jour le plugin PayU CommercePro à la dernière version disponible. Cela corrigera la vulnérabilité d'escalade de privilèges qui permet à des attaquants non authentifiés de créer des comptes d'administrateur.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-12264 is a critical vulnerability in the PayU CommercePro Plugin for WordPress allowing unauthenticated attackers to create admin accounts. It affects versions up to 3.8.3 and carries a CVSS score of 9.8.
You are affected if your WordPress site uses the PayU CommercePro Plugin version 3.8.3 or earlier. Check your plugin versions immediately.
Upgrade the PayU CommercePro Plugin to the latest available version as soon as a patch is released. Temporarily disable the plugin as a workaround until the update is available.
While no active exploitation has been confirmed, the high CVSS score and ease of exploitation suggest a high probability of exploitation. Monitor your systems closely.
Refer to the PayU CommercePro Plugin's official website or WordPress plugin repository for updates and advisories regarding CVE-2024-12264.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.