Plateforme
wordpress
Composant
post-meta-data-manager
Corrigé dans
1.4.4
1.4.5
CVE-2024-13835 is a privilege escalation vulnerability discovered in the Post Meta Data Manager plugin for WordPress. An authenticated attacker with Administrator-level access can exploit this flaw to gain elevated privileges on subsites within a multisite WordPress installation. This vulnerability affects versions of the plugin up to and including 1.4.4. A patch is available to resolve this issue.
This vulnerability allows an authenticated administrator on a WordPress multisite installation to bypass access controls and gain administrative privileges on subsites they would normally not have access to. An attacker could leverage this to modify site content, install malicious plugins or themes, or compromise user accounts on those subsites. The potential impact extends to data breaches, website defacement, and complete site takeover of affected subsites. This vulnerability highlights the importance of proper access control verification within WordPress plugins, especially in multisite environments.
CVE-2024-13835 was publicly disclosed on 2025-03-07. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is dependent on the presence of a WordPress multisite installation and the attacker's ability to obtain administrator-level access to the main site.
WordPress multisite installations using the Post Meta Data Manager plugin are at risk. Specifically, sites with a large number of subsites or those with less stringent user access controls are more vulnerable. Shared hosting environments where plugin updates are not managed by the user also face increased risk.
• wordpress / composer / npm:
grep -r 'wp_kses_post' /var/www/html/wp-content/plugins/post-meta-data-manager/• wordpress / composer / npm:
wp plugin list --status=all | grep 'Post Meta Data Manager'• wordpress / composer / npm:
wp plugin update --alldisclosure
Statut de l'Exploit
EPSS
0.22% (percentile 45%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-13835 is to upgrade the Post Meta Data Manager plugin to a version higher than 1.4.4, where the vulnerability has been addressed. If immediate upgrading is not possible due to compatibility concerns or testing requirements, consider restricting administrator access to the main site and implementing stricter user role permissions on subsites. Regularly review user roles and permissions to ensure they align with the principle of least privilege. After upgrading, confirm the fix by attempting to access a subsites as a user with limited privileges and verifying that access is denied.
Aucun correctif connu n'est disponible. Veuillez examiner en profondeur les détails de la vulnérabilité et mettre en œuvre des mesures d'atténuation en fonction de la tolérance au risque de votre organisation. Il peut être préférable de désinstaller le logiciel affecté et de trouver un remplacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-13835 is a vulnerability in the Post Meta Data Manager plugin for WordPress that allows authenticated administrators to gain elevated privileges on subsites within a multisite installation.
You are affected if you are using the Post Meta Data Manager plugin in a WordPress multisite environment and are running a version equal to or less than 1.4.4.
Upgrade the Post Meta Data Manager plugin to a version greater than 1.4.4. This resolves the privilege escalation vulnerability.
As of the current date, there are no known public exploits or active campaigns targeting CVE-2024-13835.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.