CVE-2024-9234
Missing Authorization (CWE-862)
Summary
The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This vulnerability allows unauthenticated attackers to install and activate arbitrary plugins, or upload arbitrary files disguised as plugins.
Impact
This vulnerability has a severe impact on affected WordPress installations. Unauthenticated attackers can exploit this flaw to: 1. Install and activate arbitrary plugins, potentially introducing malicious code into the WordPress site. 2. Upload arbitrary files disguised as plugins, which could lead to remote code execution. 3. Compromise the confidentiality, integrity, and availability of the affected WordPress site. 4. Gain unauthorized control over the website, potentially leading to data theft, defacement, or use of the server for malicious purposes. The CVSS v3.1 base score of 9.8 (Critical) indicates that this vulnerability is extremely severe, with high impacts on confidentiality, integrity, and availability.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is not explicitly mentioned in the provided information. However, since the vulnerability affects "all versions up to, and including, 2.1.0" of the GutenKit plugin, it is likely that a patched version (presumably 2.1.1 or higher) may be available or forthcoming. The security team should check for updates to the GutenKit plugin and apply them as soon as they become available.
Mitigation
1. Immediately update the GutenKit plugin to a version higher than 2.1.0 if a patched version is available. 2. If no patch is available, consider temporarily disabling or removing the GutenKit plugin until a fix is released. 3. Implement strong web application firewall (WAF) rules to block attempts to access the vulnerable REST API endpoint. 4. Monitor WordPress installations for any suspicious plugin installations or file uploads. 5. Regularly audit installed plugins and remove any that are not recognized or necessary. 6. Implement the principle of least privilege for WordPress user roles and capabilities. 7. Keep WordPress core, all themes, and plugins up to date with the latest security patches. 8. Consider implementing additional security measures such as IP whitelisting for admin access and two-factor authentication for WordPress accounts.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
Feedly found the first article mentioning CVE-2024-9234. See article
Feedly estimated the CVSS score as MEDIUM
NVD published the first details for CVE-2024-9234
A CVSS base score of 9.8 has been assigned.
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0.05% (Percentile: 16.4%)
Detection for the vulnerability has been added to Qualys (152308)