平台
wordpress
组件
cwicly
修复版本
1.4.1
CVE-2024-24707 describes a Remote Code Execution (RCE) vulnerability within the Cwicly Builder WordPress plugin. This flaw allows attackers to inject arbitrary code, potentially leading to complete server compromise. The vulnerability affects versions of Cwicly Builder up to and including 1.4.0.2, and a fix is available in version 1.4.1.
The impact of this RCE vulnerability is severe. An attacker could leverage it to execute arbitrary commands on the web server hosting the WordPress site. This could lead to data theft, website defacement, malware installation, or complete server takeover. Given the plugin's functionality as a visual builder, the attack surface is broad, potentially affecting any site using Cwicly Builder. The ability to execute arbitrary code bypasses standard WordPress security measures, making this a high-priority concern.
This vulnerability was publicly disclosed on April 3, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. No KEV listing is currently available. Public proof-of-concept code is likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the Cwicly Builder plugin, particularly those running versions prior to 1.4.1, are at significant risk. Shared hosting environments are especially vulnerable, as a compromised Cwicly Builder installation on one site could potentially impact other sites on the same server.
• wordpress / composer / npm:
wp plugin list | grep Cwicly• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep Cwicly• generic web: Check WordPress plugin directory for updated version 1.4.1 • wordpress / composer / npm:
wp plugin path cwicklydisclosure
漏洞利用状态
EPSS
0.42% (62% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade Cwicly Builder to version 1.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the Cwicly Builder functionality. While a direct WAF rule is difficult to implement without specific code injection patterns, monitoring for unusual file uploads or execution attempts related to Cwicly Builder can provide early detection. Review WordPress user permissions and ensure the principle of least privilege is enforced.
将 Cwicly 插件更新到最新可用版本。远程代码执行 (RCE) 漏洞在 1.4.0.2 之后的版本中已修复。请参阅插件文档以获取有关如何更新的详细说明。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-24707 is a critical Remote Code Execution vulnerability in the Cwicly Builder WordPress plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using Cwicly Builder versions 1.4.0.2 or earlier. Upgrade to 1.4.1 to resolve the issue.
Upgrade the Cwicly Builder plugin to version 1.4.1 or later through the WordPress plugin management interface.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the Cwicly website and WordPress plugin repository for the latest advisory and update information: https://www.cwicly.com/
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。