平台
wordpress
组件
wpcom-member
修复版本
1.5.3
CVE-2024-7493 is a privilege escalation vulnerability affecting the WPCOM Member plugin for WordPress. This flaw allows unauthenticated attackers to elevate their user role to administrator during the registration process, granting them complete control over the affected WordPress site. The vulnerability impacts versions up to and including 1.5.2.1, and a patch is available from the plugin developers.
The impact of CVE-2024-7493 is severe. Successful exploitation allows an attacker to gain full administrative access to a WordPress site without requiring any prior authentication. This grants them the ability to modify content, install malicious plugins, steal sensitive data (user credentials, financial information), and potentially compromise the entire server. The ease of exploitation, requiring only a successful registration, significantly broadens the attack surface and increases the risk of widespread compromise for WordPress installations using the vulnerable plugin.
CVE-2024-7493 was publicly disclosed on 2024-09-06. No known public exploits or active campaigns have been reported at the time of writing, but the ease of exploitation makes it a likely target. It is not currently listed on the CISA KEV catalog. The vulnerability's simplicity suggests a high probability of exploitation if left unpatched.
WordPress websites utilizing the WPCOM Member plugin are at risk. Specifically, sites running WordPress versions where the plugin is commonly used, and those with limited security monitoring or automated update processes, are particularly vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may also be at increased risk if updates are not promptly applied.
• wordpress / composer / npm:
wp plugin list --status=inactive | grep wpcom-member• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status wpcom-member• wordpress / composer / npm:
wp option get admin_email #Check for unusual admin email addresses after registrationdisclosure
漏洞利用状态
EPSS
1.02% (77% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-7493 is to immediately update the WPCOM Member plugin to a version higher than 1.5.2.1. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent new registrations. While a direct WAF rule is difficult to implement, monitoring for unusual user registration patterns (e.g., rapid role changes) can provide early detection. After upgrading, verify the fix by attempting a new user registration and confirming that the user role is not automatically elevated to administrator.
将 WPCOM Member 插件更新到最新可用版本。版本 1.5.2.2 或更高版本修复了此权限提升漏洞。这将防止未授权用户注册为管理员。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-7493 is a critical vulnerability in the WPCOM Member plugin for WordPress allowing unauthenticated attackers to gain administrator privileges during user registration.
You are affected if your WordPress site uses the WPCOM Member plugin version 1.5.2.1 or earlier. Check your plugin version and update immediately.
Update the WPCOM Member plugin to a version higher than 1.5.2.1. If immediate upgrade is not possible, temporarily disable the plugin.
While no active exploitation has been confirmed, the vulnerability's simplicity makes it a likely target. Monitor your site closely.
Refer to the official WPCOM Member plugin website or WordPress.org plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。