平台
wordpress
组件
post-meta-data-manager
修复版本
1.4.4
1.4.5
CVE-2024-13835 is a privilege escalation vulnerability discovered in the Post Meta Data Manager plugin for WordPress. An authenticated attacker with Administrator-level access can exploit this flaw to gain elevated privileges on subsites within a multisite WordPress installation. This vulnerability affects versions of the plugin up to and including 1.4.4. A patch is available to resolve this issue.
This vulnerability allows an authenticated administrator on a WordPress multisite installation to bypass access controls and gain administrative privileges on subsites they would normally not have access to. An attacker could leverage this to modify site content, install malicious plugins or themes, or compromise user accounts on those subsites. The potential impact extends to data breaches, website defacement, and complete site takeover of affected subsites. This vulnerability highlights the importance of proper access control verification within WordPress plugins, especially in multisite environments.
CVE-2024-13835 was publicly disclosed on 2025-03-07. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is dependent on the presence of a WordPress multisite installation and the attacker's ability to obtain administrator-level access to the main site.
WordPress multisite installations using the Post Meta Data Manager plugin are at risk. Specifically, sites with a large number of subsites or those with less stringent user access controls are more vulnerable. Shared hosting environments where plugin updates are not managed by the user also face increased risk.
• wordpress / composer / npm:
grep -r 'wp_kses_post' /var/www/html/wp-content/plugins/post-meta-data-manager/• wordpress / composer / npm:
wp plugin list --status=all | grep 'Post Meta Data Manager'• wordpress / composer / npm:
wp plugin update --alldisclosure
漏洞利用状态
EPSS
0.22% (45% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-13835 is to upgrade the Post Meta Data Manager plugin to a version higher than 1.4.4, where the vulnerability has been addressed. If immediate upgrading is not possible due to compatibility concerns or testing requirements, consider restricting administrator access to the main site and implementing stricter user role permissions on subsites. Regularly review user roles and permissions to ensure they align with the principle of least privilege. After upgrading, confirm the fix by attempting to access a subsites as a user with limited privileges and verifying that access is denied.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-13835 is a vulnerability in the Post Meta Data Manager plugin for WordPress that allows authenticated administrators to gain elevated privileges on subsites within a multisite installation.
You are affected if you are using the Post Meta Data Manager plugin in a WordPress multisite environment and are running a version equal to or less than 1.4.4.
Upgrade the Post Meta Data Manager plugin to a version greater than 1.4.4. This resolves the privilege escalation vulnerability.
As of the current date, there are no known public exploits or active campaigns targeting CVE-2024-13835.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。