プラットフォーム
wordpress
コンポーネント
post-meta-data-manager
修正版
1.4.4
1.4.5
CVE-2024-13835 is a privilege escalation vulnerability discovered in the Post Meta Data Manager plugin for WordPress. An authenticated attacker with Administrator-level access can exploit this flaw to gain elevated privileges on subsites within a multisite WordPress installation. This vulnerability affects versions of the plugin up to and including 1.4.4. A patch is available to resolve this issue.
This vulnerability allows an authenticated administrator on a WordPress multisite installation to bypass access controls and gain administrative privileges on subsites they would normally not have access to. An attacker could leverage this to modify site content, install malicious plugins or themes, or compromise user accounts on those subsites. The potential impact extends to data breaches, website defacement, and complete site takeover of affected subsites. This vulnerability highlights the importance of proper access control verification within WordPress plugins, especially in multisite environments.
CVE-2024-13835 was publicly disclosed on 2025-03-07. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is dependent on the presence of a WordPress multisite installation and the attacker's ability to obtain administrator-level access to the main site.
WordPress multisite installations using the Post Meta Data Manager plugin are at risk. Specifically, sites with a large number of subsites or those with less stringent user access controls are more vulnerable. Shared hosting environments where plugin updates are not managed by the user also face increased risk.
• wordpress / composer / npm:
grep -r 'wp_kses_post' /var/www/html/wp-content/plugins/post-meta-data-manager/• wordpress / composer / npm:
wp plugin list --status=all | grep 'Post Meta Data Manager'• wordpress / composer / npm:
wp plugin update --alldisclosure
エクスプロイト状況
EPSS
0.22% (45% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-13835 is to upgrade the Post Meta Data Manager plugin to a version higher than 1.4.4, where the vulnerability has been addressed. If immediate upgrading is not possible due to compatibility concerns or testing requirements, consider restricting administrator access to the main site and implementing stricter user role permissions on subsites. Regularly review user roles and permissions to ensure they align with the principle of least privilege. After upgrading, confirm the fix by attempting to access a subsites as a user with limited privileges and verifying that access is denied.
既知の修正パッチはありません。脆弱性の詳細を詳細に確認し、組織のリスク許容度に基づいて軽減策を実施してください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-13835 is a vulnerability in the Post Meta Data Manager plugin for WordPress that allows authenticated administrators to gain elevated privileges on subsites within a multisite installation.
You are affected if you are using the Post Meta Data Manager plugin in a WordPress multisite environment and are running a version equal to or less than 1.4.4.
Upgrade the Post Meta Data Manager plugin to a version greater than 1.4.4. This resolves the privilege escalation vulnerability.
As of the current date, there are no known public exploits or active campaigns targeting CVE-2024-13835.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。