プラットフォーム
wordpress
コンポーネント
demo-my-wordpress
修正版
1.0.10
CVE-2024-31290 describes a Privilege Escalation vulnerability discovered in the Demo My WordPress plugin. This flaw allows attackers to bypass intended access controls and potentially gain administrative privileges within a WordPress site. The vulnerability impacts versions of Demo My WordPress up to and including 1.0.9.1, and a fix is available in version 1.0.10.
Successful exploitation of CVE-2024-31290 could grant an attacker complete control over a WordPress website. This includes the ability to modify content, install malicious plugins, steal sensitive data (user credentials, database information), and even deface the site. The impact is particularly severe because privilege escalation allows an attacker to bypass standard authentication mechanisms, making it easier to compromise the entire system. The potential for data exfiltration and website takeover makes this a high-priority vulnerability to address.
CVE-2024-31290 was publicly disclosed on 2024-05-17. Currently, there are no publicly available proof-of-concept exploits. The vulnerability's criticality (CVSS 9.8) suggests a high likelihood of exploitation if a PoC is released. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Demo My WordPress plugin, particularly those running versions prior to 1.0.10, are at significant risk. Shared hosting environments where plugin updates are not managed by the user are especially vulnerable, as are sites with weak user access controls.
• wordpress / composer / npm:
wp plugin list | grep 'Demo My WordPress'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep 'Demo My WordPress'• wordpress / composer / npm:
wp plugin path Demo My WordPressdisclosure
エクスプロイト状況
EPSS
0.41% (61% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-31290 is to immediately upgrade the Demo My WordPress plugin to version 1.0.10 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the plugin's administrative interface using WordPress user roles and permissions. Review WordPress security logs for any suspicious activity related to the plugin. While a direct WAF rule is unlikely, monitoring for unusual user activity or attempts to access restricted plugin functions can provide early warning signs.
Demo My WordPress プラグインを最新バージョンにアップデートしてください。認証されていない権限昇格の脆弱性は、最新バージョンより前のバージョンに存在します。アップデートすることでこのセキュリティ問題を修正できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-31290 is a critical vulnerability in Demo My WordPress allowing attackers to gain unauthorized access and elevate privileges, potentially taking full control of the WordPress site.
Yes, if you are using Demo My WordPress version 1.0.9.1 or earlier, you are vulnerable to this privilege escalation issue.
Upgrade Demo My WordPress to version 1.0.10 or later to resolve the vulnerability. If immediate upgrade is not possible, restrict access to the plugin's admin interface.
While no public exploits are currently available, the high severity score suggests a potential for exploitation if a proof-of-concept is released.
Refer to the CodeRevolution website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-31290.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。