プラットフォーム
wordpress
コンポーネント
json-api-user
修正版
3.9.4
A critical privilege escalation vulnerability (CVE-2024-6624) has been identified in the JSON API User plugin for WordPress, affecting versions up to and including 3.9.3. This flaw allows unauthenticated attackers to register as administrators on the site, effectively gaining full control. The vulnerability stems from improper controls on custom user meta fields and requires the JSON API plugin to also be installed. A patch is available to address this issue.
The impact of CVE-2024-6624 is severe. An unauthenticated attacker can exploit this vulnerability to register themselves as an administrator on a WordPress site. This grants them complete control over the site, including the ability to modify content, install malicious plugins, access sensitive data, and potentially compromise the entire server. The requirement for the JSON API plugin to also be installed broadens the attack surface, as many WordPress sites utilize this plugin for API functionality. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale compromise if exploited.
CVE-2024-6624 was publicly disclosed on 2024-07-11. While no public proof-of-concept (PoC) has been widely released, the ease of exploitation makes it likely that attackers are actively scanning for vulnerable instances. The vulnerability's criticality and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress sites using the JSON API User plugin, particularly those running versions 3.9.3 or earlier, are at significant risk. Shared hosting environments are especially vulnerable, as attackers can potentially compromise multiple sites from a single point of entry. Sites that rely heavily on the JSON API plugin for custom functionality are also at increased risk.
• wordpress / composer / npm:
wp plugin list | grep "json-api-user"• wordpress / composer / npm:
wp plugin update json-api-user --all• wordpress / composer / npm:
wp plugin status json-api-user• wordpress / composer / npm:
wp option get user_registration• generic web: Check WordPress access logs for unusual user registration attempts, especially those originating from unknown IP addresses.
disclosure
エクスプロイト状況
EPSS
43.45% (97% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-6624 is to immediately upgrade the JSON API User plugin to a version beyond 3.9.3. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict user registration policies and limiting access to sensitive areas of the site can help reduce the potential impact. Monitor WordPress access logs for suspicious registration attempts. After upgrading, confirm the fix by attempting to register a new user without authentication and verifying that the registration fails.
JSON API User プラグインを最新バージョンにアップデートしてください。これにより、認証されていない攻撃者がサイトで管理者として登録できる権限昇格の脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-6624 is a critical vulnerability in the JSON API User plugin for WordPress versions up to 3.9.3, allowing unauthenticated attackers to register as administrators.
Yes, if you are using the JSON API User plugin in WordPress and are running a version 3.9.3 or earlier, you are affected by this vulnerability.
Upgrade the JSON API User plugin to a version greater than 3.9.3. If immediate upgrade is not possible, temporarily disable the plugin.
While no public PoC exists, the vulnerability's criticality and ease of exploitation suggest a high probability of active exploitation.
Refer to the official JSON API User plugin website or the WordPress security advisory for the latest information and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。