プラットフォーム
wordpress
コンポーネント
wpcom-member
修正版
1.5.3
CVE-2024-7493 is a privilege escalation vulnerability affecting the WPCOM Member plugin for WordPress. This flaw allows unauthenticated attackers to elevate their user role to administrator during the registration process, granting them complete control over the affected WordPress site. The vulnerability impacts versions up to and including 1.5.2.1, and a patch is available from the plugin developers.
The impact of CVE-2024-7493 is severe. Successful exploitation allows an attacker to gain full administrative access to a WordPress site without requiring any prior authentication. This grants them the ability to modify content, install malicious plugins, steal sensitive data (user credentials, financial information), and potentially compromise the entire server. The ease of exploitation, requiring only a successful registration, significantly broadens the attack surface and increases the risk of widespread compromise for WordPress installations using the vulnerable plugin.
CVE-2024-7493 was publicly disclosed on 2024-09-06. No known public exploits or active campaigns have been reported at the time of writing, but the ease of exploitation makes it a likely target. It is not currently listed on the CISA KEV catalog. The vulnerability's simplicity suggests a high probability of exploitation if left unpatched.
WordPress websites utilizing the WPCOM Member plugin are at risk. Specifically, sites running WordPress versions where the plugin is commonly used, and those with limited security monitoring or automated update processes, are particularly vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may also be at increased risk if updates are not promptly applied.
• wordpress / composer / npm:
wp plugin list --status=inactive | grep wpcom-member• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status wpcom-member• wordpress / composer / npm:
wp option get admin_email #Check for unusual admin email addresses after registrationdisclosure
エクスプロイト状況
EPSS
1.02% (77% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-7493 is to immediately update the WPCOM Member plugin to a version higher than 1.5.2.1. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent new registrations. While a direct WAF rule is difficult to implement, monitoring for unusual user registration patterns (e.g., rapid role changes) can provide early detection. After upgrading, verify the fix by attempting a new user registration and confirming that the user role is not automatically elevated to administrator.
WPCOM Memberプラグインを最新バージョンにアップデートしてください。バージョン1.5.2.2以降は、この権限昇格の脆弱性を修正しています。これにより、認証されていないユーザーが管理者として登録されるのを防ぐことができます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-7493 is a critical vulnerability in the WPCOM Member plugin for WordPress allowing unauthenticated attackers to gain administrator privileges during user registration.
You are affected if your WordPress site uses the WPCOM Member plugin version 1.5.2.1 or earlier. Check your plugin version and update immediately.
Update the WPCOM Member plugin to a version higher than 1.5.2.1. If immediate upgrade is not possible, temporarily disable the plugin.
While no active exploitation has been confirmed, the vulnerability's simplicity makes it a likely target. Monitor your site closely.
Refer to the official WPCOM Member plugin website or WordPress.org plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。