प्लेटफ़ॉर्म
wordpress
घटक
time-clock
में ठीक किया गया
1.1.5
1.2.3
CVE-2024-9593 is a critical Remote Code Execution (RCE) vulnerability impacting the Time Clock and Time Clock Pro plugins for WordPress. This flaw allows unauthenticated attackers to execute code on a vulnerable server without needing credentials. The vulnerability affects versions up to 1.2.2 for Time Clock and 1.1.4 for Time Clock Pro. A patch has been released, and users are strongly advised to upgrade immediately.
The impact of this vulnerability is severe. An attacker can gain complete control of the WordPress server by exploiting this RCE. This could lead to data breaches, website defacement, malware installation, and potentially compromise other systems on the same network. Given the plugin's function (time tracking), sensitive employee data like salaries, hours worked, and personal information could be at risk. The lack of authentication requirements significantly lowers the barrier to entry for attackers, making this a high-priority vulnerability to address.
This vulnerability was publicly disclosed on 2024-10-18. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the lack of authentication make it a likely target. No Proof of Concept (PoC) code has been publicly released, but the vulnerability's nature suggests that it is relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.
WordPress websites using the Time Clock or Time Clock Pro plugins, particularly those running older, unpatched versions, are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates. Businesses relying on these plugins for time tracking and employee management are at risk of data compromise.
• wordpress / composer / npm:
grep -r 'etimeclockwp_load_function_callback' /var/www/html/wp-content/plugins/time-clock/• wordpress / composer / npm:
wp plugin list | grep 'Time Clock'• wordpress / composer / npm:
wp plugin update time-clock time-clock-pro• generic web:
Check WordPress plugin versions using wp plugin list and compare against affected versions (≤1.2.2 & ≤1.1.4).
disclosure
एक्सप्लॉइट स्थिति
EPSS
82.47% (99% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade the Time Clock and Time Clock Pro plugins to the latest available versions, which contain the fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugins. Web Application Firewalls (WAFs) can be configured to block requests targeting the vulnerable 'etimeclockwploadfunction_callback' function. Regularly review WordPress plugin security and consider using a security scanner to identify and address potential vulnerabilities.
Actualice el plugin Time Clock a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución remota de código.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-9593 is a Remote Code Execution vulnerability affecting the Time Clock and Time Clock Pro WordPress plugins, allowing attackers to execute code on the server without authentication.
You are affected if you are using Time Clock or Time Clock Pro versions 1.2.2 or earlier, or 1.1.4 or earlier, respectively. Check your plugin versions immediately.
Upgrade the Time Clock and Time Clock Pro plugins to the latest available versions. If upgrading is not immediately possible, disable the plugins temporarily.
While no confirmed active exploitation campaigns are known, the vulnerability's ease of exploitation makes it a likely target. Monitor your systems closely.
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।