CVE-2024-9593

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 18, 2024 / Updated: 32d ago

010
CVSS 8.3EPSS 0.05%High
CVE info copied to clipboard

Summary

The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.

Impact

This vulnerability allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to complete compromise of the affected WordPress installation. The impact is severe as it can result in unauthorized access, data theft, website defacement, or use of the server for further malicious activities. The CVSS v3.1 base score of 8.3 (High severity) indicates a significant risk, with the attack vector being network-based, requiring no user interaction, and having a low attack complexity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Patches are available. Users of the Time Clock plugin should update to a version newer than 1.2.2, and users of the Time Clock Pro plugin should update to a version newer than 1.1.4.

Mitigation

1. Immediately update the affected plugins to the latest versions that address this vulnerability. 2. If immediate updating is not possible, consider temporarily disabling the affected plugins until they can be updated. 3. Implement strong Web Application Firewall (WAF) rules to filter out potentially malicious requests targeting the 'etimeclockwp_load_function_callback' function. 4. Regularly monitor WordPress and plugin versions, and implement a robust patch management process to ensure timely updates. 5. Conduct a thorough security audit of the WordPress installation to identify and address any potential compromises that may have occurred prior to patching.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9593. See article

Oct 18, 2024 at 10:42 AM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 18, 2024 at 10:42 AM
CVE Assignment

NVD published the first details for CVE-2024-9593

Oct 18, 2024 at 6:15 PM
CVSS

A CVSS base score of 8.3 has been assigned.

Oct 18, 2024 at 6:15 PM / nvd
Threat Intelligence Report

CVE-2024-9593 is a critical vulnerability in the Time Clock and Time Clock Pro plugins for WordPress, with a CVSS score of 8.3, allowing unauthenticated attackers to execute arbitrary code on the server. Currently, there is no evidence of exploitation in the wild or public proof-of-concept exploits; however, patches are available, and users are advised to update to versions newer than 1.2.2 and 1.1.4, respectively. Mitigations include temporarily disabling the affected plugins and implementing strong Web Application Firewall rules to filter malicious requests. See article

Oct 18, 2024 at 10:05 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 21.5%)

Oct 19, 2024 at 9:48 AM
Static CVE Timeline Graph

Affected Systems

Wpplugin/time_clock
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

References

CVE-2024-9593 - Exploits & Severity - Feedly
This vulnerability allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to complete compromise of the affected WordPress installation. The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function.

News

Exploit for Code Injection in Wpplugin Time Clock exploit
0x4f5da2-venom/CVE-2024-9593-EXP
[GitHub]CVE-2024-9593 WordPress插件的远程代码执行
cveNotify : 🚨 CVE-2024-9593The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.🎖@cveNotify
cveNotify : 🚨 CVE-2024-9593The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.🎖@cveNotify
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024)
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
https:// github.com/RandomRobbieBF/CVE- 2024-9593 # wordpress
See 16 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:Low

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI