CVE-2024-8512

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)

Published: Oct 30, 2024 / Updated: 20d ago

010
CVSS 9.1EPSS 0.06%Critical
CVE info copied to clipboard

Summary

A potential code injection vulnerability affecting WordPress. While the full details are not yet available, this vulnerability is associated with CWE-94: Improper Control of Generation of Code ('Code Injection'). The estimated CVSS category is HIGH, indicating a significant security risk.

Impact

This vulnerability could allow attackers to inject and execute arbitrary code in the context of the affected WordPress installation. Potential impacts may include: 1. Unauthorized access to sensitive data 2. Manipulation of website content 3. Installation of malware or backdoors 4. Compromise of the entire WordPress site and potentially the underlying server 5. Use of the compromised site to attack other systems or spread malware

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of October 30, 2024, there is no specific patch information available for this vulnerability. WordPress users and administrators should monitor official WordPress security announcements for updates and patch releases.

Mitigation

While waiting for an official patch, consider the following mitigation steps: 1. Implement strong input validation and sanitization for all user-controllable inputs in WordPress installations and custom plugins/themes. 2. Use WordPress security plugins to enhance protection against code injection attacks. 3. Keep WordPress core, themes, and plugins updated to the latest versions. 4. Implement the principle of least privilege for WordPress user roles and file permissions. 5. Use Web Application Firewalls (WAF) to help detect and block potential code injection attempts. 6. Regularly backup your WordPress installation and maintain offline copies. 7. Monitor WordPress logs for suspicious activities or unauthorized changes. 8. Consider temporarily disabling or restricting access to the affected components if identified.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8512. See article

Oct 30, 2024 at 11:07 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 30, 2024 at 11:07 AM
CVE Assignment

NVD published the first details for CVE-2024-8512

Oct 30, 2024 at 11:15 AM
CVSS

A CVSS base score of 9.1 has been assigned.

Oct 30, 2024 at 11:20 AM / nvd
EPSS

EPSS Score was set to: 0.06% (Percentile: 24.3%)

Oct 31, 2024 at 10:14 AM
Static CVE Timeline Graph

Affected Systems

Wordpress/wordpress
+null more

Attack Patterns

CAPEC-35: Leverage Executable Code in Non-Executable Files
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 28, 2024 to November 3, 2024)
WordPress Plugins with Reported Vulnerabilities Last Week All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
CVE Alert: CVE-2024-8512 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-8512/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_8512
null
- CRITICAL - CVE-2024-8512 The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
Critical - CVE-2024-8512 - The W3SPEEDSTER plugin for WordPress is...
The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization()...
CVE-2024-8512
The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI