Platform
wordpress
Component
woffice
Opgelost in
5.4.11
CVE-2024-43153 describes a Privilege Escalation vulnerability within WofficeIO Woffice. This flaw allows unauthorized users to elevate their privileges, potentially leading to complete system compromise. The vulnerability impacts versions of Woffice up to and including 5.4.10, and a patch is available in version 5.4.11.
The Privilege Escalation vulnerability in Woffice allows an attacker to bypass intended access controls and gain administrative or root-level privileges. This could enable them to modify system configurations, access sensitive data, install malicious software, or even take complete control of the affected WordPress instance. The potential impact is severe, as a successful exploit could lead to data breaches, service disruption, and reputational damage. The scope of the impact depends on the sensitivity of the data stored and processed by the Woffice installation and the broader WordPress environment.
CVE-2024-43153 was publicly disclosed on August 13, 2024. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Woffice for document management or other functionalities within their WordPress installations are at risk. This includes businesses of all sizes, particularly those relying on Woffice for sensitive data storage or processing. Shared hosting environments where multiple WordPress sites share resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
wp plugin list | grep -i officeio• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status officeio-woffice• wordpress / composer / npm: Check the Woffice plugin directory for any unusual files or modifications. • wordpress / composer / npm: Review WordPress user roles and permissions to ensure least privilege is enforced.
disclosure
Exploit Status
EPSS
0.13% (33% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-43153 is to immediately upgrade Woffice to version 5.4.11 or later. If upgrading is not immediately feasible, consider implementing stricter access controls within WordPress to limit the potential damage from a compromised account. Review user permissions and ensure that only authorized personnel have administrative access. While a WAF might offer some protection, it's unlikely to be effective against this type of privilege escalation vulnerability. After upgrading, verify the fix by attempting to access restricted resources with a non-administrative user account to confirm that privilege escalation is no longer possible.
Actualice el tema Woffice a la última versión disponible. La vulnerabilidad de escalada de privilegios se ha corregido en versiones posteriores a la 5.4.10. Consulte la documentación del tema para obtener instrucciones sobre cómo actualizar.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-43153 is a critical vulnerability in WofficeIO Woffice allowing attackers to gain elevated privileges, potentially compromising the entire system. It affects versions up to 5.4.10.
If you are using Woffice version 5.4.10 or earlier, you are vulnerable. Check your plugin version using wp plugin list.
Upgrade Woffice to version 5.4.11 or later. Use wp plugin update officeio-woffice to update.
As of now, there are no publicly known active exploits, but the CRITICAL severity suggests a high likelihood of exploitation if unpatched.
Refer to the WofficeIO security advisory page for the latest information: [https://wofficio.com/security/](https://wofficio.com/security/)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.