Plateforme
wordpress
Composant
wishlist-member-x
Corrigé dans
3.26.7
3.26.7
CVE-2024-37109 is a critical Remote Code Execution (RCE) vulnerability discovered in the Wishlist Member plugin for WordPress. This vulnerability allows authenticated attackers, even those with Subscriber-level access, to execute arbitrary code on the server. The vulnerability affects versions of the plugin up to and excluding 3.26.7, and a patch has been released in version 3.26.7.
The impact of this RCE vulnerability is severe. An attacker with Subscriber-level access can gain complete control over the WordPress server, potentially leading to data breaches, website defacement, malware installation, and complete system compromise. This could include accessing sensitive user data stored within the WordPress database, modifying website content, and using the server as a launchpad for further attacks against other systems on the network. The ease of exploitation, requiring only Subscriber privileges, significantly broadens the attack surface.
This vulnerability was publicly disclosed on June 20, 2024. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the plugin's popularity suggest a high likelihood of exploitation attempts. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the Wishlist Member plugin, particularly those with a large number of Subscriber-level users or those lacking robust access controls, are at significant risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
wp plugin list --status=active | grep Wishlist Member• wordpress / composer / npm:
wp plugin update --all• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wishlist-member/ | grep 'Wishlist Member'• generic web: Check WordPress plugin directory for version 3.26.7 or higher.
disclosure
Statut de l'Exploit
EPSS
0.85% (percentile 75%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to immediately upgrade the Wishlist Member plugin to version 3.26.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the plugin's administrative functions to trusted users only. Implement a Web Application Firewall (WAF) with rules to block suspicious requests targeting the vulnerable plugin endpoints. Monitor WordPress logs for unusual activity, particularly requests originating from unauthorized users.
Update to version 3.26.7, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-37109 is a critical Remote Code Execution vulnerability in the Wishlist Member WordPress plugin, allowing authenticated attackers to execute code on the server.
You are affected if you are using Wishlist Member WordPress plugin versions prior to 3.26.7. Check your plugin version immediately.
Upgrade the Wishlist Member plugin to version 3.26.7 or later. If immediate upgrade is not possible, restrict access and implement WAF rules.
While no active exploitation campaigns have been confirmed, the ease of exploitation suggests a high likelihood of exploitation attempts.
Refer to the Wishlist Member website and WordPress plugin directory for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.