平台
wordpress
组件
js-support-ticket
修复版本
2.8.7
CVE-2024-7094 is a critical Remote Code Execution (RCE) vulnerability discovered in the JS Help Desk – The Ultimate Help Desk & Support Plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary code on the server due to insufficient input sanitization within the 'storeTheme' function. Versions of the plugin up to and including 2.8.6 are affected, and a full fix is available in version 2.8.7.
The impact of CVE-2024-7094 is severe. Successful exploitation allows an attacker to execute arbitrary PHP code on the web server hosting the WordPress site. This can lead to complete server compromise, including data theft, modification, or deletion. Attackers could also leverage this access to install malware, create backdoors for persistent access, or launch further attacks against other systems on the network. The lack of authentication requirements significantly broadens the attack surface, making it accessible to a wide range of malicious actors.
CVE-2024-7094 was publicly disclosed on August 13, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high likelihood of exploitation attempts. Public proof-of-concept code is likely to emerge, further increasing the risk. This vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites using the JS Help Desk plugin, particularly those running versions prior to 2.8.7, are at significant risk. Shared hosting environments are especially vulnerable, as a compromise of one site can potentially impact others on the same server. Sites with weak WordPress security configurations or those lacking regular plugin updates are also at increased risk.
• wordpress / composer / npm:
grep -r 'storeTheme' /var/www/html/wp-content/plugins/js-help-desk/• wordpress / composer / npm:
wp plugin list --status=all | grep 'JS Help Desk'• wordpress / composer / npm:
wp plugin update js-help-desk• generic web: Check WordPress plugin directory for updates and security advisories related to JS Help Desk.
disclosure
漏洞利用状态
EPSS
71.96% (99% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-7094 is to immediately upgrade the JS Help Desk plugin to version 2.8.7 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting access to the 'storeTheme' function. This could involve modifying the plugin's code (with caution and thorough testing) or using a WordPress security plugin to block access to the vulnerable endpoint. Monitor WordPress access logs for suspicious activity related to the 'storeTheme' function. After upgrading, confirm the fix by attempting to trigger the vulnerability via a controlled test – ensure no code execution occurs.
将 JS Help Desk – The Ultimate Help Desk & Support Plugin 插件更新到 2.8.7 或更高版本。此版本修复了允许远程代码执行的 PHP 代码注入漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-7094 is a critical Remote Code Execution vulnerability in the JS Help Desk WordPress plugin, allowing attackers to execute code on the server if you're using versions up to 2.8.6.
Yes, if you are using the JS Help Desk plugin version 2.8.6 or earlier, you are vulnerable to this RCE vulnerability. Upgrade immediately.
Upgrade the JS Help Desk plugin to version 2.8.7 or later to resolve this vulnerability. If immediate upgrade isn't possible, consider temporary workarounds like restricting access to the 'storeTheme' function.
While no confirmed active exploitation campaigns have been reported, the CRITICAL severity and ease of exploitation suggest a high likelihood of exploitation attempts.
Refer to the JS Help Desk plugin's official website and WordPress plugin repository for the latest security advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。