Platform
wordpress
Component
customify-sites
Opgelost in
0.0.10
CVE-2024-33644 describes a Remote Code Execution (RCE) vulnerability within the Customify Site Library, a WordPress plugin. This vulnerability allows attackers to inject arbitrary code, potentially leading to complete system compromise. It impacts versions of the plugin up to and including 0.0.9, with a fix available in version 0.0.10.
The impact of CVE-2024-33644 is severe. Successful exploitation allows an attacker to execute arbitrary code on the server hosting the WordPress site. This could involve gaining unauthorized access to sensitive data, modifying website content, installing malware, or even taking complete control of the server. Given the plugin's functionality, attackers could potentially target user data, configuration files, and other critical assets. The potential blast radius extends to any connected systems accessible from the compromised WordPress server.
CVE-2024-33644 was publicly disclosed on 2024-05-17. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been widely publicized at the time of writing, the ease of code injection in similar vulnerabilities suggests a high likelihood of PoCs emerging. Active exploitation campaigns are possible, particularly targeting sites running older, unpatched versions of the plugin.
Websites utilizing the Customify Site Library plugin, particularly those running older versions (≤0.0.9), are at significant risk. Shared hosting environments are especially vulnerable, as they often host multiple websites and may be slower to apply security updates. WordPress sites with limited security configurations or those lacking robust monitoring systems are also at increased risk.
• wordpress / composer / npm:
grep -r "Customify Site Library" /var/www/html/wp-content/plugins/
wp plugin list | grep Customify Site Library• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/customify-site-library/ | grep -i 'Customify Site Library'disclosure
Exploit Status
EPSS
17.04% (95% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-33644 is to immediately upgrade the Customify Site Library plugin to version 0.0.10 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web application firewalls (WAFs) configured to detect and block code injection attempts can provide an additional layer of protection. Monitor WordPress plugin activity logs for suspicious code execution patterns. After upgrading, verify the fix by attempting to trigger the vulnerability using known attack vectors (if available) and confirming that the code injection is prevented.
Werk de Customify Site Library plugin bij naar de laatste beschikbare versie. De Remote Code Execution (RCE) kwetsbaarheid is aanwezig in eerdere versies dan de meest recente. De update zal het probleem oplossen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-33644 is a critical Remote Code Execution vulnerability in the Customify Site Library WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using Customify Site Library version 0.0.9 or earlier. Check your plugin versions immediately.
Upgrade Customify Site Library to version 0.0.10 or later to resolve the vulnerability. Disable the plugin temporarily if upgrading is not immediately possible.
While no widespread exploitation has been confirmed, the high CVSS score and ease of code injection suggest a high likelihood of exploitation.
Refer to the Customify website and WordPress plugin repository for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.