2.5.0
CVE-2021-29504 is a critical remote code execution (RCE) vulnerability affecting versions of wp-cli up to and including v2.4.1. This flaw stems from improper error handling during HTTPS request management, allowing attackers to bypass certificate verification. Successful exploitation enables attackers to impersonate update servers and push malicious updates to WordPress instances or even to the wp-cli agent itself, potentially leading to complete system compromise. A patch is available in version 2.5.0.
The impact of CVE-2021-29504 is severe. An attacker who can intercept communication between a wp-cli agent and an update server can disable certificate verification. This allows them to impersonate legitimate update servers and deliver malicious code disguised as WordPress updates or even malicious updates to the wp-cli tool itself. This could lead to arbitrary code execution on the target system, granting the attacker full control. The blast radius extends to any WordPress instance managed by a vulnerable wp-cli agent, potentially impacting numerous websites and their associated data. This vulnerability is particularly concerning given the widespread use of wp-cli for WordPress management tasks.
CVE-2021-29504 was publicly disclosed on May 19, 2021. While no active exploitation campaigns have been definitively confirmed, the critical severity and potential for remote code execution make it a high-priority vulnerability. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress developers and system administrators who rely on wp-cli for managing WordPress installations are at significant risk. Shared hosting environments where wp-cli is used to manage multiple WordPress instances are particularly vulnerable, as a compromise of one wp-cli agent could potentially impact numerous websites. Users of older wp-cli versions who have not implemented strict access controls are also at increased risk.
• linux / server:
find /usr/local/bin/wp -type f -mtime -7 -print• php:
composer show wp-cli• generic web:
curl -I https://raw.githubusercontent.com/wp-cli/builds/v2.4.1/phar/wp-cli.phar | grep 'Server:'disclosure
漏洞利用状态
EPSS
1.15% (78% 百分位)
CVSS 向量
The primary mitigation for CVE-2021-29504 is to upgrade to wp-cli version 2.5.0 or later, which contains the fix. If an immediate upgrade is not possible due to compatibility issues, consider temporarily disabling automatic updates via wp-cli. While not a complete solution, this can reduce the attack surface. Carefully review any updates manually before applying them. Monitor network traffic for suspicious connections to update servers. Implement strict access controls to limit who can execute wp-cli commands. After upgrading, confirm the fix by attempting an HTTPS update and verifying that certificate verification is still enforced.
将 WP-CLI 更新到 2.5.0 或更高版本。 如果无法更新,请避免执行证书验证至关重要的 HTTPS 请求。 如果您使用的是 2.5.0 之前的版本,则没有直接的解决方案,但您可以考虑升级到最新版本。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2021-29504 is a critical remote code execution vulnerability in wp-cli versions up to 2.4.1. It allows attackers to impersonate update servers and push malicious updates.
You are affected if you are using wp-cli version 2.4.1 or earlier. Check your version with composer show wp-cli.
Upgrade to wp-cli version 2.5.0 or later using composer update wp-cli. Consider disabling automatic updates temporarily if an immediate upgrade is not possible.
While no confirmed active exploitation campaigns are known, the critical severity makes it a high-priority vulnerability and exploitation is possible.
Refer to the official wp-cli security advisory: https://github.com/wp-cli/builds/issues/623