平台
wordpress
组件
postpage-import-export-with-custom-fields-taxonomies
修复版本
2.0.4
CVE-2025-24677 describes a Remote Code Execution (RCE) vulnerability within the wpspin Post/Page Copying Tool. This flaw allows attackers to inject and include arbitrary code, potentially granting them complete control over the affected WordPress site. The vulnerability impacts versions from 0.0.0 through 2.0.3, and a patch is available in version 2.0.4.
The impact of this RCE vulnerability is severe. An attacker exploiting this flaw could execute arbitrary code on the web server, leading to complete system compromise. This could involve gaining unauthorized access to sensitive data, modifying website content, installing malware, or using the server as a launchpad for further attacks. The code injection mechanism allows for Remote Code Inclusion (RCI), meaning attackers can leverage external resources to execute malicious code, significantly expanding the potential attack surface. The ability to execute arbitrary code bypasses standard WordPress security measures and poses a significant risk to website integrity and data confidentiality.
CVE-2025-24677 was publicly disclosed on 2025-02-04. The vulnerability's RCE nature and the ease of code injection suggest a potentially high exploitation probability. While no public proof-of-concept (PoC) has been confirmed at the time of writing, the severity of the vulnerability makes it a likely target for exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
WordPress websites utilizing the wpspin Post/Page Copying Tool, particularly those running versions 0.0.0 through 2.0.3, are at significant risk. Shared hosting environments are especially vulnerable, as a compromised plugin on one site could potentially impact other sites hosted on the same server. Websites relying on this plugin for content migration or duplication are particularly exposed.
• wordpress / composer / npm:
grep -r 'postpage-import-export-with-custom-fields-taxonomies' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/postpage-import-export-with-custom-fields-taxonomies/ | grep Server• wordpress / composer / npm:
wp plugin list | grep postpage-import-export-with-custom-fields-taxonomiesdisclosure
漏洞利用状态
EPSS
0.12% (31% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-24677 is to immediately upgrade the wpspin Post/Page Copying Tool to version 2.0.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to filter potentially malicious code injection attempts can provide an additional layer of defense. Regularly review WordPress plugin configurations and ensure that only trusted plugins are installed and kept up to date.
将 'Post/Page Copying Tool' 插件更新到 2.0.4 或更高版本以缓解远程代码执行漏洞。 此更新解决了代码生成控制不足的问题,从而防止恶意代码的包含。 在更新插件之前,请务必备份您的网站。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-24677 is a critical Remote Code Execution vulnerability in the wpspin Post/Page Copying Tool, allowing attackers to execute arbitrary code on a WordPress website.
Yes, if you are using wpspin Post/Page Copying Tool versions 0.0.0 through 2.0.3, you are vulnerable to this RCE.
Upgrade the wpspin Post/Page Copying Tool to version 2.0.4 or later to remediate the vulnerability. If immediate upgrade is not possible, disable the plugin.
While no confirmed exploitation is currently public, the severity of the vulnerability suggests a high probability of exploitation.
Refer to the wpspin project's official website or WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。