Plataforma
wordpress
Componente
cwicly
Corrigido em
1.4.1
CVE-2024-24707 describes a Remote Code Execution (RCE) vulnerability within the Cwicly Builder WordPress plugin. This flaw allows attackers to inject arbitrary code, potentially leading to complete server compromise. The vulnerability affects versions of Cwicly Builder up to and including 1.4.0.2, and a fix is available in version 1.4.1.
The impact of this RCE vulnerability is severe. An attacker could leverage it to execute arbitrary commands on the web server hosting the WordPress site. This could lead to data theft, website defacement, malware installation, or complete server takeover. Given the plugin's functionality as a visual builder, the attack surface is broad, potentially affecting any site using Cwicly Builder. The ability to execute arbitrary code bypasses standard WordPress security measures, making this a high-priority concern.
This vulnerability was publicly disclosed on April 3, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. No KEV listing is currently available. Public proof-of-concept code is likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the Cwicly Builder plugin, particularly those running versions prior to 1.4.1, are at significant risk. Shared hosting environments are especially vulnerable, as a compromised Cwicly Builder installation on one site could potentially impact other sites on the same server.
• wordpress / composer / npm:
wp plugin list | grep Cwicly• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep Cwicly• generic web: Check WordPress plugin directory for updated version 1.4.1 • wordpress / composer / npm:
wp plugin path cwicklydisclosure
Status do Exploit
EPSS
0.42% (percentil 62%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade Cwicly Builder to version 1.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the Cwicly Builder functionality. While a direct WAF rule is difficult to implement without specific code injection patterns, monitoring for unusual file uploads or execution attempts related to Cwicly Builder can provide early detection. Review WordPress user permissions and ensure the principle of least privilege is enforced.
Atualize o plugin Cwicly para a última versão disponível. A vulnerabilidade de execução remota de código (RCE) é corrigida em versões posteriores a 1.4.0.2. Consulte a documentação do plugin para obter instruções detalhadas sobre como atualizar.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-24707 is a critical Remote Code Execution vulnerability in the Cwicly Builder WordPress plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using Cwicly Builder versions 1.4.0.2 or earlier. Upgrade to 1.4.1 to resolve the issue.
Upgrade the Cwicly Builder plugin to version 1.4.1 or later through the WordPress plugin management interface.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Cwicly website and WordPress plugin repository for the latest advisory and update information: https://www.cwicly.com/
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.