平台
wordpress
组件
salesking
修复版本
1.6.16
CVE-2024-22157 describes an Improper Privilege Management vulnerability within WebWizards SalesKing, enabling Privilege Escalation. This flaw allows attackers to bypass intended access controls and potentially gain administrative access. The vulnerability affects SalesKing versions up to 1.6.15, and a patch is available in version 1.6.16.
Successful exploitation of CVE-2024-22157 allows an attacker to escalate their privileges within the SalesKing WordPress plugin. This could lead to complete control over the WordPress site, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and even compromise the underlying server. The impact is particularly severe because SalesKing is often used for managing customer relationships and sales processes, making the data at risk highly valuable. A compromised SalesKing instance could be used as a launching point for further attacks against the entire network, demonstrating a significant blast radius.
CVE-2024-22157 was publicly disclosed on 2024-05-17. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability's CRITICAL CVSS score suggests a high probability of exploitation if a suitable exploit is developed and released. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
Organizations using SalesKing for customer relationship management or sales tracking are at significant risk. Specifically, those running older versions of SalesKing (≤1.6.15) and those with limited security monitoring or patching practices are particularly vulnerable. Shared WordPress hosting environments are also at increased risk, as a compromised SalesKing plugin on one site could potentially impact other sites on the same server.
• wordpress / composer / npm:
wp plugin list --status=inactive | grep SalesKing• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status SalesKing• wordpress / composer / npm:
grep -r 'SalesKing' /var/www/html/wp-content/plugins/disclosure
漏洞利用状态
EPSS
0.52% (67% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-22157 is to immediately upgrade SalesKing to version 1.6.16 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting access to SalesKing administrative functions based on user roles and implementing strict input validation to prevent malicious code injection. While a WAF might offer some protection, it is not a substitute for patching. After upgrading, verify the fix by attempting to access administrative functions with a non-administrative user account and confirming that access is denied.
将 SalesKing 插件更新到最新可用版本。未授权权限提升漏洞在 1.6.15 之后的版本中已修复。要更新,请访问 WordPress 管理面板,'插件' 部分,搜索 'SalesKing' 以进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-22157 is a critical vulnerability in SalesKing allowing attackers to gain elevated privileges, potentially compromising the entire WordPress site. It affects versions up to 1.6.15.
Yes, if you are using SalesKing version 1.6.15 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade SalesKing to version 1.6.16 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting access based on user roles.
As of now, there are no publicly known exploits, but the CRITICAL severity suggests a high likelihood of exploitation if a suitable exploit is developed.
Refer to the official SalesKing website or their WordPress plugin page for the latest security advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。