平台
wordpress
组件
wishlist-member-x
修复版本
3.26.7
3.26.7
CVE-2024-37109 is a critical Remote Code Execution (RCE) vulnerability discovered in the Wishlist Member plugin for WordPress. This vulnerability allows authenticated attackers, even those with Subscriber-level access, to execute arbitrary code on the server. The vulnerability affects versions of the plugin up to and excluding 3.26.7, and a patch has been released in version 3.26.7.
The impact of this RCE vulnerability is severe. An attacker with Subscriber-level access can gain complete control over the WordPress server, potentially leading to data breaches, website defacement, malware installation, and complete system compromise. This could include accessing sensitive user data stored within the WordPress database, modifying website content, and using the server as a launchpad for further attacks against other systems on the network. The ease of exploitation, requiring only Subscriber privileges, significantly broadens the attack surface.
This vulnerability was publicly disclosed on June 20, 2024. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the plugin's popularity suggest a high likelihood of exploitation attempts. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
WordPress websites utilizing the Wishlist Member plugin, particularly those with a large number of Subscriber-level users or those lacking robust access controls, are at significant risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
wp plugin list --status=active | grep Wishlist Member• wordpress / composer / npm:
wp plugin update --all• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wishlist-member/ | grep 'Wishlist Member'• generic web: Check WordPress plugin directory for version 3.26.7 or higher.
disclosure
漏洞利用状态
EPSS
0.85% (75% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the Wishlist Member plugin to version 3.26.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the plugin's administrative functions to trusted users only. Implement a Web Application Firewall (WAF) with rules to block suspicious requests targeting the vulnerable plugin endpoints. Monitor WordPress logs for unusual activity, particularly requests originating from unauthorized users.
Update to version 3.26.7, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-37109 is a critical Remote Code Execution vulnerability in the Wishlist Member WordPress plugin, allowing authenticated attackers to execute code on the server.
You are affected if you are using Wishlist Member WordPress plugin versions prior to 3.26.7. Check your plugin version immediately.
Upgrade the Wishlist Member plugin to version 3.26.7 or later. If immediate upgrade is not possible, restrict access and implement WAF rules.
While no active exploitation campaigns have been confirmed, the ease of exploitation suggests a high likelihood of exploitation attempts.
Refer to the Wishlist Member website and WordPress plugin directory for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。