CVE-2024-9061

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 16, 2024 / Updated: 34d ago

010
CVSS 9.8EPSS 0.05%Critical
CVE info copied to clipboard

Summary

The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This vulnerability is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode, making it possible for unauthenticated attackers to execute arbitrary shortcodes.

Impact

This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes, which can lead to remote code execution. The potential impacts are severe, including unauthorized access to the WordPress site, data theft, site defacement, and using the compromised site as a pivot point for further attacks. Given the CVSS v3.1 base score of 9.8 (Critical), with high impacts on confidentiality, integrity, and availability, this vulnerability poses a significant risk to affected WordPress installations.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Version 1.3.6 of the WP Popup Builder plugin incorporates the correct authorization check to prevent unauthorized access and fully addresses the vulnerability. It's worth noting that version 1.3.5 included a partial fix with a nonce check, which effectively prevented access to the affected function, but did not fully resolve the issue.

Mitigation

1. Immediately update the WP Popup Builder plugin to version 1.3.6 or later. 2. If immediate updating is not possible, consider temporarily disabling the WP Popup Builder plugin until the update can be applied. 3. Implement strong Web Application Firewall (WAF) rules to detect and block potential exploitation attempts. 4. Regularly monitor WordPress and plugin logs for any suspicious activities. 5. Ensure that the WordPress core and all other plugins are up-to-date to minimize overall attack surface. 6. Apply the principle of least privilege for WordPress user roles and permissions. 7. Conduct a thorough security audit of the WordPress installation to identify and address any other potential vulnerabilities.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9061. See article

Oct 16, 2024 at 7:36 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 16, 2024 at 7:37 AM
CVE Assignment

NVD published the first details for CVE-2024-9061

Oct 16, 2024 at 8:15 AM
CVSS

A CVSS base score of 7.3 has been assigned.

Oct 16, 2024 at 8:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.9%)

Oct 17, 2024 at 10:04 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 30, 2024 at 9:15 PM / nvd
Static CVE Timeline Graph

Affected Systems

Themehunk/wp_popup_builder
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024)
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
https:// github.com/RandomRobbieBF/CVE- 2024-9061 # wordpress
Update Fri Oct 18 22:38:54 UTC 2024
Update Fri Oct 18 22:38:54 UTC 2024
RandomRobbieBF/CVE-2024-9061
[GitHub]WP Popup Builder – Popup Forms and Marketing Lead Generation <=1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add
null
- HIGH - CVE-2024-9061 The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI