WordPress MDTF – Meta Data and Taxonomies Filter plugin <= 1.3.3.4 - Bypass Vulnerability vulnerability
wordt vertaald…Platform
wordpress
Component
wp-meta-data-filter-and-taxonomy-filter
Opgelost in
1.3.4
CVE-2024-50450 describes a Code Injection vulnerability discovered in the WordPress Meta Data and Taxonomies Filter (MDTF) plugin. This flaw allows attackers to inject arbitrary code, potentially compromising the entire WordPress site. The vulnerability affects versions of the plugin up to and including 1.3.3.4, and a fix is available in version 1.3.4.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2024-50450 allows an attacker to execute arbitrary code on the server hosting the WordPress site. This could lead to complete website takeover, data theft (including user credentials and sensitive data stored in the database), defacement, and the installation of malware. The impact is particularly severe because WordPress is a widely used content management system, and many websites rely on plugins like MDTF for extended functionality. A successful attack could also be used to pivot to other systems on the same network, expanding the blast radius. This vulnerability shares similarities with other code injection flaws in WordPress plugins, where insufficient input validation allows malicious code to be injected and executed.
Uitbuitingscontextwordt vertaald…
CVE-2024-50450 was publicly disclosed on 2024-10-28. There is currently no indication of active exploitation in the wild, but the availability of a public code injection vulnerability significantly increases the risk. The EPSS score is likely to be assessed as medium due to the ease of exploitation and the widespread use of WordPress. Monitor security advisories and threat intelligence feeds for any signs of exploitation.
Wie Loopt Risicowordt vertaald…
Websites using the WordPress Meta Data and Taxonomies Filter (MDTF) plugin, particularly those running older, unpatched versions (≤1.3.3.4), are at risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r 'realmag777/mdtf' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep mdtf• wordpress / composer / npm:
wp plugin update mdtf --version=1.3.4• generic web: Check WordPress plugin directory for known vulnerable versions of MDTF.
Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
53.50% (98% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Laag — gedeeltelijke toegang tot enkele gegevens.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Laag — gedeeltelijke of intermitterende denial of service.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 1KNiche
- Plugin-beoordeling
- 4.5
- Vereist WordPress
- 4.1.0+
- Compatibel tot
- 7.0
- Vereist PHP
- 7.4+
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2024-50450 is to immediately update the WordPress Meta Data and Taxonomies Filter (MDTF) plugin to version 1.3.4 or later. If an immediate upgrade is not possible due to compatibility issues or testing requirements, consider temporarily disabling the plugin. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to detect and block code injection attempts can provide an additional layer of defense. Regularly scan your WordPress installation for vulnerable plugins using a security scanner. After upgrading, verify the fix by attempting to inject a simple code snippet through a plugin parameter and confirming that it is properly sanitized and does not execute.
Hoe te verhelpenwordt vertaald…
Actualice el plugin WordPress Meta Data and Taxonomies Filter (MDTF) a la última versión disponible. La vulnerabilidad de inyección de código permite la ejecución de código malicioso. La actualización corrige esta vulnerabilidad.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2024-50450 — Code Injection in WordPress MDTF Plugin?
CVE-2024-50450 is a Code Injection vulnerability affecting the WordPress Meta Data and Taxonomies Filter (MDTF) plugin, allowing attackers to inject malicious code. It has a CVSS score of 7.3 (HIGH).
Am I affected by CVE-2024-50450 in WordPress MDTF Plugin?
You are affected if you are using the WordPress Meta Data and Taxonomies Filter (MDTF) plugin version 1.3.3.4 or earlier. Check your plugin versions immediately.
How do I fix CVE-2024-50450 in WordPress MDTF Plugin?
Update the WordPress Meta Data and Taxonomies Filter (MDTF) plugin to version 1.3.4 or later. If immediate upgrade is not possible, disable the plugin temporarily.
Is CVE-2024-50450 being actively exploited?
There is currently no confirmed active exploitation, but the vulnerability is publicly known and poses a significant risk.
Where can I find the official WordPress advisory for CVE-2024-50450?
Refer to the plugin developer's website or the WordPress plugin directory for the latest updates and security advisories related to the MDTF plugin.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.