CVE-2024-8268
Improper Control of Generation of Code ('Code Injection') (CWE-94)
Summary
The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. This vulnerability allows authenticated attackers with subscriber-level access and above to call arbitrary functions, which can be leveraged for privilege escalation by changing user's passwords.
Impact
This vulnerability has a high severity impact. Attackers with low-level authenticated access (subscriber or above) can execute unauthorized code, potentially leading to privilege escalation. They could change user passwords, including those of administrators, effectively taking control of the WordPress site. This could result in unauthorized access to sensitive information, manipulation of website content, and potential complete compromise of the affected WordPress installation.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. The vulnerability affects all versions of the Frontend Dashboard plugin for WordPress up to and including version 2.2.4. A fix has been implemented in version 2.2.5, as indicated by the patch details provided.
Mitigation
1. Update the Frontend Dashboard plugin to version 2.2.5 or later as soon as possible. 2. If immediate updating is not possible, disable or remove the Frontend Dashboard plugin from all WordPress installations until the update can be applied. 3. Conduct a thorough review of user accounts and their privileges, especially focusing on subscriber-level accounts that might have been compromised. 4. Implement strong password policies and enable two-factor authentication for all user accounts, especially administrator accounts. 5. Monitor WordPress installations for any suspicious activities, particularly those related to user privilege changes or unexpected password resets. 6. Consider implementing a Web Application Firewall (WAF) to help detect and block potential exploitation attempts. 7. Regularly backup your WordPress installations and keep them up-to-date, including all plugins and themes. 8. After updating, test the plugin functionality in a staging environment before deploying to production.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Timeline
Feedly found the first article mentioning CVE-2024-8268. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-8268
A CVSS base score of 8.8 has been assigned.
EPSS Score was set to: 0.06% (Percentile: 23.6%)
Detection for the vulnerability has been added to Qualys (152217)