プラットフォーム
wordpress
コンポーネント
salesking
修正版
1.6.16
CVE-2024-22157 describes an Improper Privilege Management vulnerability within WebWizards SalesKing, enabling Privilege Escalation. This flaw allows attackers to bypass intended access controls and potentially gain administrative access. The vulnerability affects SalesKing versions up to 1.6.15, and a patch is available in version 1.6.16.
Successful exploitation of CVE-2024-22157 allows an attacker to escalate their privileges within the SalesKing WordPress plugin. This could lead to complete control over the WordPress site, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and even compromise the underlying server. The impact is particularly severe because SalesKing is often used for managing customer relationships and sales processes, making the data at risk highly valuable. A compromised SalesKing instance could be used as a launching point for further attacks against the entire network, demonstrating a significant blast radius.
CVE-2024-22157 was publicly disclosed on 2024-05-17. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's CRITICAL CVSS score suggests a high probability of exploitation if a suitable exploit is developed and released. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
Organizations using SalesKing for customer relationship management or sales tracking are at significant risk. Specifically, those running older versions of SalesKing (≤1.6.15) and those with limited security monitoring or patching practices are particularly vulnerable. Shared WordPress hosting environments are also at increased risk, as a compromised SalesKing plugin on one site could potentially impact other sites on the same server.
• wordpress / composer / npm:
wp plugin list --status=inactive | grep SalesKing• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status SalesKing• wordpress / composer / npm:
grep -r 'SalesKing' /var/www/html/wp-content/plugins/disclosure
エクスプロイト状況
EPSS
0.52% (67% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-22157 is to immediately upgrade SalesKing to version 1.6.16 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting access to SalesKing administrative functions based on user roles and implementing strict input validation to prevent malicious code injection. While a WAF might offer some protection, it is not a substitute for patching. After upgrading, verify the fix by attempting to access administrative functions with a non-administrative user account and confirming that access is denied.
SalesKing プラグインを最新バージョンにアップデートしてください。認証されていない権限昇格の脆弱性は 1.6.15 以降のバージョンで修正されています。アップデートするには、WordPress 管理画面の「プラグイン」セクションにアクセスし、「SalesKing」を検索してアップデートしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-22157 is a critical vulnerability in SalesKing allowing attackers to gain elevated privileges, potentially compromising the entire WordPress site. It affects versions up to 1.6.15.
Yes, if you are using SalesKing version 1.6.15 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade SalesKing to version 1.6.16 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting access based on user roles.
As of now, there are no publicly known exploits, but the CRITICAL severity suggests a high likelihood of exploitation if a suitable exploit is developed.
Refer to the official SalesKing website or their WordPress plugin page for the latest security advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。