平台
wordpress
组件
customify-sites
修复版本
0.0.10
CVE-2024-33644 describes a Remote Code Execution (RCE) vulnerability within the Customify Site Library, a WordPress plugin. This vulnerability allows attackers to inject arbitrary code, potentially leading to complete system compromise. It impacts versions of the plugin up to and including 0.0.9, with a fix available in version 0.0.10.
The impact of CVE-2024-33644 is severe. Successful exploitation allows an attacker to execute arbitrary code on the server hosting the WordPress site. This could involve gaining unauthorized access to sensitive data, modifying website content, installing malware, or even taking complete control of the server. Given the plugin's functionality, attackers could potentially target user data, configuration files, and other critical assets. The potential blast radius extends to any connected systems accessible from the compromised WordPress server.
CVE-2024-33644 was publicly disclosed on 2024-05-17. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been widely publicized at the time of writing, the ease of code injection in similar vulnerabilities suggests a high likelihood of PoCs emerging. Active exploitation campaigns are possible, particularly targeting sites running older, unpatched versions of the plugin.
Websites utilizing the Customify Site Library plugin, particularly those running older versions (≤0.0.9), are at significant risk. Shared hosting environments are especially vulnerable, as they often host multiple websites and may be slower to apply security updates. WordPress sites with limited security configurations or those lacking robust monitoring systems are also at increased risk.
• wordpress / composer / npm:
grep -r "Customify Site Library" /var/www/html/wp-content/plugins/
wp plugin list | grep Customify Site Library• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/customify-site-library/ | grep -i 'Customify Site Library'disclosure
漏洞利用状态
EPSS
17.04% (95% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-33644 is to immediately upgrade the Customify Site Library plugin to version 0.0.10 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Web application firewalls (WAFs) configured to detect and block code injection attempts can provide an additional layer of protection. Monitor WordPress plugin activity logs for suspicious code execution patterns. After upgrading, verify the fix by attempting to trigger the vulnerability using known attack vectors (if available) and confirming that the code injection is prevented.
将 Customify Site Library 插件更新到最新可用版本。远程代码执行 (RCE) 漏洞存在于旧版本中。更新将解决此问题。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-33644 is a critical Remote Code Execution vulnerability in the Customify Site Library WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using Customify Site Library version 0.0.9 or earlier. Check your plugin versions immediately.
Upgrade Customify Site Library to version 0.0.10 or later to resolve the vulnerability. Disable the plugin temporarily if upgrading is not immediately possible.
While no widespread exploitation has been confirmed, the high CVSS score and ease of code injection suggest a high likelihood of exploitation.
Refer to the Customify website and WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。