Plataforma
wordpress
Componente
wp-video-robot
Corrigido em
1.20.1
CVE-2024-9192 is a privilege escalation vulnerability discovered in the WordPress Video Robot - The Ultimate Video Importer plugin. An attacker with subscriber-level access or higher can exploit this flaw to elevate their privileges to administrator, gaining full control of the WordPress site. This vulnerability affects versions up to and including 1.20.0. A patch is available from the plugin developer.
This vulnerability allows authenticated users with subscriber access or higher to bypass access controls and gain administrator privileges. An attacker could leverage this to modify site content, install malicious plugins, steal sensitive data, or completely compromise the WordPress installation. The impact is significant, as it allows for complete control over the affected website. This vulnerability highlights the importance of proper access control validation within WordPress plugins, particularly when handling user meta data.
This vulnerability was publicly disclosed on 2024-11-16. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation suggests a potential for rapid adoption. The vulnerability is not currently listed on the CISA KEV catalog. Given the plugin's popularity and the relatively straightforward exploitation path, active exploitation is possible.
Websites using the WordPress Video Robot plugin, particularly those with subscriber-level users who have access to modify site content or settings, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to lateral movement to others.
• wordpress / composer / npm:
wp plugin list | grep 'Video Robot'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'wpvr_rate_request_result' /var/www/html/wp-content/plugins/video-robot/• wordpress / composer / npm:
wp plugin status | grep 'Video Robot'disclosure
Status do Exploit
EPSS
0.20% (percentil 43%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately update the WordPress Video Robot plugin to a version newer than 1.20.0, as the developer has released a patch. If upgrading is not immediately feasible, consider restricting access to the plugin's settings or implementing stricter user role permissions to limit the potential impact. Regularly review user roles and permissions to ensure they align with the principle of least privilege. Monitor WordPress logs for suspicious activity related to user meta updates.
Actualice el plugin WordPress Video Robot a la última versión disponible. Esto solucionará la vulnerabilidad de escalada de privilegios.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-9192 is a vulnerability allowing authenticated subscribers to gain administrator privileges in the WordPress Video Robot plugin, potentially compromising site control.
You are affected if you are using WordPress Video Robot plugin version 1.20.0 or earlier. Check your plugin version and update immediately.
Update the WordPress Video Robot plugin to a version newer than 1.20.0. This patch resolves the privilege escalation vulnerability.
While no public exploits are currently available, the ease of exploitation suggests a potential for active exploitation. Monitor your site for suspicious activity.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.