Plataforma
wordpress
Componente
salesking
Corrigido em
1.6.16
CVE-2024-22157 describes an Improper Privilege Management vulnerability within WebWizards SalesKing, enabling Privilege Escalation. This flaw allows attackers to bypass intended access controls and potentially gain administrative access. The vulnerability affects SalesKing versions up to 1.6.15, and a patch is available in version 1.6.16.
Successful exploitation of CVE-2024-22157 allows an attacker to escalate their privileges within the SalesKing WordPress plugin. This could lead to complete control over the WordPress site, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and even compromise the underlying server. The impact is particularly severe because SalesKing is often used for managing customer relationships and sales processes, making the data at risk highly valuable. A compromised SalesKing instance could be used as a launching point for further attacks against the entire network, demonstrating a significant blast radius.
CVE-2024-22157 was publicly disclosed on 2024-05-17. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's CRITICAL CVSS score suggests a high probability of exploitation if a suitable exploit is developed and released. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
Organizations using SalesKing for customer relationship management or sales tracking are at significant risk. Specifically, those running older versions of SalesKing (≤1.6.15) and those with limited security monitoring or patching practices are particularly vulnerable. Shared WordPress hosting environments are also at increased risk, as a compromised SalesKing plugin on one site could potentially impact other sites on the same server.
• wordpress / composer / npm:
wp plugin list --status=inactive | grep SalesKing• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status SalesKing• wordpress / composer / npm:
grep -r 'SalesKing' /var/www/html/wp-content/plugins/disclosure
Status do Exploit
EPSS
0.52% (percentil 67%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-22157 is to immediately upgrade SalesKing to version 1.6.16 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting access to SalesKing administrative functions based on user roles and implementing strict input validation to prevent malicious code injection. While a WAF might offer some protection, it is not a substitute for patching. After upgrading, verify the fix by attempting to access administrative functions with a non-administrative user account and confirming that access is denied.
Atualize o plugin SalesKing para a última versão disponível. A vulnerabilidade de escalada de privilégios não autenticada é corrigida em versões posteriores à 1.6.15. Para atualizar, vá ao painel de administração do WordPress, seção 'Plugins' e procure por 'SalesKing' para atualizá-lo.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-22157 is a critical vulnerability in SalesKing allowing attackers to gain elevated privileges, potentially compromising the entire WordPress site. It affects versions up to 1.6.15.
Yes, if you are using SalesKing version 1.6.15 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade SalesKing to version 1.6.16 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting access based on user roles.
As of now, there are no publicly known exploits, but the CRITICAL severity suggests a high likelihood of exploitation if a suitable exploit is developed.
Refer to the official SalesKing website or their WordPress plugin page for the latest security advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.