Plateforme
wordpress
Composant
postpage-import-export-with-custom-fields-taxonomies
Corrigé dans
2.0.4
CVE-2025-24677 describes a Remote Code Execution (RCE) vulnerability within the wpspin Post/Page Copying Tool. This flaw allows attackers to inject and include arbitrary code, potentially granting them complete control over the affected WordPress site. The vulnerability impacts versions from 0.0.0 through 2.0.3, and a patch is available in version 2.0.4.
The impact of this RCE vulnerability is severe. An attacker exploiting this flaw could execute arbitrary code on the web server, leading to complete system compromise. This could involve gaining unauthorized access to sensitive data, modifying website content, installing malware, or using the server as a launchpad for further attacks. The code injection mechanism allows for Remote Code Inclusion (RCI), meaning attackers can leverage external resources to execute malicious code, significantly expanding the potential attack surface. The ability to execute arbitrary code bypasses standard WordPress security measures and poses a significant risk to website integrity and data confidentiality.
CVE-2025-24677 was publicly disclosed on 2025-02-04. The vulnerability's RCE nature and the ease of code injection suggest a potentially high exploitation probability. While no public proof-of-concept (PoC) has been confirmed at the time of writing, the severity of the vulnerability makes it a likely target for exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
WordPress websites utilizing the wpspin Post/Page Copying Tool, particularly those running versions 0.0.0 through 2.0.3, are at significant risk. Shared hosting environments are especially vulnerable, as a compromised plugin on one site could potentially impact other sites hosted on the same server. Websites relying on this plugin for content migration or duplication are particularly exposed.
• wordpress / composer / npm:
grep -r 'postpage-import-export-with-custom-fields-taxonomies' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/postpage-import-export-with-custom-fields-taxonomies/ | grep Server• wordpress / composer / npm:
wp plugin list | grep postpage-import-export-with-custom-fields-taxonomiesdisclosure
Statut de l'Exploit
EPSS
0.12% (percentile 31%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-24677 is to immediately upgrade the wpspin Post/Page Copying Tool to version 2.0.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to filter potentially malicious code injection attempts can provide an additional layer of defense. Regularly review WordPress plugin configurations and ensure that only trusted plugins are installed and kept up to date.
Mettez à jour le plugin 'Post/Page Copying Tool' à la version 2.0.4 ou supérieure pour atténuer la vulnérabilité d'exécution de code à distance. Cette mise à jour corrige le manque de contrôle sur la génération de code, empêchant l'inclusion de code malveillant. Assurez-vous de sauvegarder votre site web avant de mettre à jour le plugin.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-24677 is a critical Remote Code Execution vulnerability in the wpspin Post/Page Copying Tool, allowing attackers to execute arbitrary code on a WordPress website.
Yes, if you are using wpspin Post/Page Copying Tool versions 0.0.0 through 2.0.3, you are vulnerable to this RCE.
Upgrade the wpspin Post/Page Copying Tool to version 2.0.4 or later to remediate the vulnerability. If immediate upgrade is not possible, disable the plugin.
While no confirmed exploitation is currently public, the severity of the vulnerability suggests a high probability of exploitation.
Refer to the wpspin project's official website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.