प्लेटफ़ॉर्म
wordpress
घटक
amazonsimpleadmin
में ठीक किया गया
1.5.4
CVE-2024-8478 is a critical vulnerability affecting the Affiliate Super Assistent WordPress plugin. It allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to severe consequences such as website defacement, data theft, or even complete site takeover. This vulnerability impacts versions of the plugin up to and including 1.5.3. A patch is available; upgrading is the recommended remediation.
The arbitrary shortcode execution vulnerability allows an attacker to inject malicious shortcodes into comments on a WordPress site using the vulnerable plugin. If the 'Parse comments' option is enabled, these shortcodes will be executed, granting the attacker control over the site's functionality. This could involve injecting malicious JavaScript, displaying unauthorized content, or even executing arbitrary code on the server. The blast radius extends to any user accessing the affected website, as malicious shortcodes could be designed to steal user data or redirect visitors to phishing sites. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale exploitation.
CVE-2024-8478 was publicly disclosed on September 10, 2024. While no public exploits have been widely reported, the ease of exploitation makes it a likely target for automated scanners and malicious actors. The vulnerability is not currently listed on the CISA KEV catalog. The availability of a public proof-of-concept is likely, given the vulnerability's nature and the relatively short time since disclosure.
Websites using the Affiliate Super Assistent plugin, particularly those with the 'Parse comments' option enabled, are at significant risk. Shared hosting environments are especially vulnerable, as a compromised website on one account can potentially impact other accounts on the same server. WordPress sites with outdated plugins are also at increased risk.
• wordpress / composer / npm:
grep -r 'shortcode_atts' /var/www/html/wp-content/plugins/affiliate-super-assistent/• wordpress / composer / npm:
wp plugin list --status=all | grep 'affiliate-super-assistent'• wordpress / composer / npm:
wp plugin list --status=active | grep 'affiliate-super-assistent'disclosure
एक्सप्लॉइट स्थिति
EPSS
1.87% (83% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-8478 is to upgrade the Affiliate Super Assistent plugin to a version that addresses the vulnerability. Check the plugin developer's website for the latest version. If upgrading is not immediately feasible, consider temporarily disabling the 'Parse comments' option within the plugin's settings. This will prevent the execution of shortcodes in comments, but may impact legitimate comment functionality. Web application firewalls (WAFs) configured to detect and block malicious shortcode injections can provide an additional layer of protection. Monitor WordPress logs for suspicious activity, such as unexpected shortcode executions.
Actualice el plugin Affiliate Super Assistent a la última versión disponible. Esto solucionará la vulnerabilidad que permite la ejecución de shortcodes arbitrarios a través de comentarios.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-8478 is a HIGH severity vulnerability in the Affiliate Super Assistent WordPress plugin allowing unauthenticated attackers to execute arbitrary shortcodes via comments when 'Parse comments' is enabled, potentially leading to site takeover.
You are affected if you are using Affiliate Super Assistent version 1.5.3 or earlier and have the 'Parse comments' option enabled. Check your plugin version and update immediately.
Upgrade the Affiliate Super Assistent plugin to the latest version available from the plugin developer. As a temporary workaround, disable the 'Parse comments' option within the plugin's settings.
While no widespread exploitation has been confirmed, the ease of exploitation suggests it is a likely target for malicious actors. Monitor your website for suspicious activity.
Check the Affiliate Super Assistent plugin developer's website and WordPress plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।