Plataforma
wordpress
Componente
post-meta-data-manager
Corrigido em
1.4.4
1.4.5
CVE-2024-13835 is a privilege escalation vulnerability discovered in the Post Meta Data Manager plugin for WordPress. An authenticated attacker with Administrator-level access can exploit this flaw to gain elevated privileges on subsites within a multisite WordPress installation. This vulnerability affects versions of the plugin up to and including 1.4.4. A patch is available to resolve this issue.
This vulnerability allows an authenticated administrator on a WordPress multisite installation to bypass access controls and gain administrative privileges on subsites they would normally not have access to. An attacker could leverage this to modify site content, install malicious plugins or themes, or compromise user accounts on those subsites. The potential impact extends to data breaches, website defacement, and complete site takeover of affected subsites. This vulnerability highlights the importance of proper access control verification within WordPress plugins, especially in multisite environments.
CVE-2024-13835 was publicly disclosed on 2025-03-07. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is dependent on the presence of a WordPress multisite installation and the attacker's ability to obtain administrator-level access to the main site.
WordPress multisite installations using the Post Meta Data Manager plugin are at risk. Specifically, sites with a large number of subsites or those with less stringent user access controls are more vulnerable. Shared hosting environments where plugin updates are not managed by the user also face increased risk.
• wordpress / composer / npm:
grep -r 'wp_kses_post' /var/www/html/wp-content/plugins/post-meta-data-manager/• wordpress / composer / npm:
wp plugin list --status=all | grep 'Post Meta Data Manager'• wordpress / composer / npm:
wp plugin update --alldisclosure
Status do Exploit
EPSS
0.22% (percentil 45%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-13835 is to upgrade the Post Meta Data Manager plugin to a version higher than 1.4.4, where the vulnerability has been addressed. If immediate upgrading is not possible due to compatibility concerns or testing requirements, consider restricting administrator access to the main site and implementing stricter user role permissions on subsites. Regularly review user roles and permissions to ensure they align with the principle of least privilege. After upgrading, confirm the fix by attempting to access a subsites as a user with limited privileges and verifying that access is denied.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e empregue mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-13835 is a vulnerability in the Post Meta Data Manager plugin for WordPress that allows authenticated administrators to gain elevated privileges on subsites within a multisite installation.
You are affected if you are using the Post Meta Data Manager plugin in a WordPress multisite environment and are running a version equal to or less than 1.4.4.
Upgrade the Post Meta Data Manager plugin to a version greater than 1.4.4. This resolves the privilege escalation vulnerability.
As of the current date, there are no known public exploits or active campaigns targeting CVE-2024-13835.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.