प्लेटफ़ॉर्म
wordpress
घटक
cwicly
में ठीक किया गया
1.4.1
CVE-2024-24707 describes a Remote Code Execution (RCE) vulnerability within the Cwicly Builder WordPress plugin. This flaw allows attackers to inject arbitrary code, potentially leading to complete server compromise. The vulnerability affects versions of Cwicly Builder up to and including 1.4.0.2, and a fix is available in version 1.4.1.
The impact of this RCE vulnerability is severe. An attacker could leverage it to execute arbitrary commands on the web server hosting the WordPress site. This could lead to data theft, website defacement, malware installation, or complete server takeover. Given the plugin's functionality as a visual builder, the attack surface is broad, potentially affecting any site using Cwicly Builder. The ability to execute arbitrary code bypasses standard WordPress security measures, making this a high-priority concern.
This vulnerability was publicly disclosed on April 3, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. No KEV listing is currently available. Public proof-of-concept code is likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the Cwicly Builder plugin, particularly those running versions prior to 1.4.1, are at significant risk. Shared hosting environments are especially vulnerable, as a compromised Cwicly Builder installation on one site could potentially impact other sites on the same server.
• wordpress / composer / npm:
wp plugin list | grep Cwicly• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep Cwicly• generic web: Check WordPress plugin directory for updated version 1.4.1 • wordpress / composer / npm:
wp plugin path cwicklydisclosure
एक्सप्लॉइट स्थिति
EPSS
0.42% (62% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to immediately upgrade Cwicly Builder to version 1.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the Cwicly Builder functionality. While a direct WAF rule is difficult to implement without specific code injection patterns, monitoring for unusual file uploads or execution attempts related to Cwicly Builder can provide early detection. Review WordPress user permissions and ensure the principle of least privilege is enforced.
Cwicly प्लगइन को नवीनतम उपलब्ध संस्करण में अपडेट करें। रिमोट कोड एग्जीक्यूशन (RCE) भेद्यता 1.4.0.2 से बाद के संस्करणों में ठीक की जाती है। अपडेट करने के बारे में विस्तृत निर्देशों के लिए प्लगइन के दस्तावेज़ देखें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-24707 is a critical Remote Code Execution vulnerability in the Cwicly Builder WordPress plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using Cwicly Builder versions 1.4.0.2 or earlier. Upgrade to 1.4.1 to resolve the issue.
Upgrade the Cwicly Builder plugin to version 1.4.1 or later through the WordPress plugin management interface.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Cwicly website and WordPress plugin repository for the latest advisory and update information: https://www.cwicly.com/
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।