Plateforme
wordpress
Composant
et-core-plugin
Corrigé dans
5.3.9
CVE-2024-33552 describes an Improper Privilege Management vulnerability within the 8theme XStore Core plugin for WordPress. This flaw allows attackers to escalate their privileges, potentially gaining administrative access and full control over the affected website. The vulnerability impacts versions of XStore Core from the initial release through version 5.3.8, and a patch is available in version 5.3.9.
Successful exploitation of CVE-2024-33552 could grant an attacker complete control over a WordPress site running a vulnerable version of XStore Core. This includes the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial details), and even deface the website. The potential blast radius is significant, as a compromised WordPress site can be used as a launchpad for further attacks against other systems on the network. Given the popularity of WordPress and XStore Core, this vulnerability poses a widespread risk.
CVE-2024-33552 was publicly disclosed on 2024-05-17. As of this writing, no public proof-of-concept exploits have been released. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Active campaigns targeting this vulnerability are not currently confirmed, but the critical severity warrants immediate attention and patching.
Websites utilizing the XStore Core plugin for WordPress, particularly those running older versions (≤5.3.8), are at significant risk. Shared hosting environments where WordPress installations are managed centrally are especially vulnerable, as a single compromised site could potentially impact multiple users. Sites with weak password policies or inadequate user access controls are also at increased risk.
• wordpress / composer / npm:
wp plugin list --status=inactive | grep xstore• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status xstore-core• wordpress / composer / npm:
wp core updatedisclosure
patch
Statut de l'Exploit
EPSS
0.53% (percentile 67%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-33552 is to immediately upgrade XStore Core to version 5.3.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While no specific WAF rules are readily available, restrict access to sensitive administrative functions and monitor for unusual user activity. Regularly review user roles and permissions to ensure they are appropriately configured. After upgrading, confirm the fix by attempting to execute privilege escalation commands via the WordPress admin interface and verifying that they are denied.
Actualice el plugin XStore Core a la última versión disponible. La vulnerabilidad permite la escalada de privilegios, por lo que es crucial aplicar la actualización lo antes posible. Consulte el registro de cambios del plugin para obtener más detalles sobre la actualización.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-33552 is a critical vulnerability in XStore Core for WordPress that allows attackers to gain elevated privileges, potentially taking full control of the website.
You are affected if you are using XStore Core versions 5.3.8 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade XStore Core to version 5.3.9 or later to resolve this vulnerability. Ensure compatibility before upgrading.
While no active exploitation campaigns have been confirmed, the vulnerability's critical severity warrants immediate action to prevent potential attacks.
Refer to the 8theme website and WordPress plugin repository for the latest security advisories and updates regarding CVE-2024-33552.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.