CVE-2024-6297

EPSS 2.29%
Veröffentlicht 25.06.2024 04:15:17
Zuletzt bearbeitet 21.11.2024 09:49:23
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Several WordPress.org Plugins <= Various Versions - Injected Backdoor

Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. Currently, not all plugins have been patched and we strongly recommend uninstalling the plugins for the time being and running a complete malware scan.

Mögliche Gegenmaßnahme

Ad Invalid Click Protector (AICP): Update to version 1.2.11, or a newer patched version

BLAZE Retail Widget: Update to version 2.5.4, or a newer patched version

Britetechs Companion: Update to version 2.2.8, or a newer patched version

Contact Form Multi-Step Addon: Update to version 1.0.7, or a newer patched version

Pods – Custom Content Types and Fields: Update to version 3.2.4, or a newer patched version

PowerPress Podcasting plugin by Blubrry: Update to version 11.9.6, or a newer patched version

Seo Optimized Images: Update to version 2.1.4, or a newer patched version

Simply Show Hooks: Update to version 1.2.1, or a newer patched version

Social Sharing Plugin – Social Warfare: Update to version 4.4.7.3, or a newer patched version

Twenty20 Image Before-After: Update to version 1.6.4, or a newer patched version

WP Server Health Stats: Update to version 1.7.8, or a newer patched version

WPCOM Member: Update to version 1.3.14, or a newer patched version

Wrapper Link Elementor: Update to version 1.0.5, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 14

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Ad Invalid Click Protector (AICP)

Version 1.2.9

SystemWordPress Plugin

≫

Produkt BLAZE Retail Widget

Version 2.2.5 - 2.5.2

SystemWordPress Plugin

≫

Produkt Britetechs Companion

Version 2.2.7

SystemWordPress Plugin

≫

Produkt Contact Form Multi-Step Addon

Version 1.0.4 - 1.0.5

SystemWordPress Plugin

≫

Produkt Pods – Custom Content Types and Fields

Version 3.2.3

SystemWordPress Plugin

≫

Produkt PowerPress Podcasting plugin by Blubrry

Version 11.9.3 - 11.9.4

SystemWordPress Plugin

≫

Produkt Seo Optimized Images

Version 2.1.2

SystemWordPress Plugin

≫

Produkt Simply Show Hooks

Version 1.2.1 - 1.2.2

SystemWordPress Plugin

≫

Produkt Social Sharing Plugin – Social Warfare

Version 4.4.6.4 - 4.4.7.1

SystemWordPress Plugin

≫

Produkt Twenty20 Image Before-After

Version 1.5.4

Version 1.6.2

Version 1.6.3

SystemWordPress Plugin

≫

Produkt WP Server Health Stats

Version 1.7.6

SystemWordPress Plugin

≫

Produkt WPCOM Member

Version 1.3.15

Version 1.3.16

SystemWordPress Plugin

≫

Produkt Wrapper Link Elementor

Version 1.0.2 - 1.0.3

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerwarfareplugins

≫

Produkt social_warfare

Default Statusunaffected

Version <= 4.4.7.1

Version 4.4.6.4

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.29%	0.842

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

https://plugins.trac.wordpress.org/browser/blaze-widget/trunk/blaze_widget.php

https://plugins.trac.wordpress.org/browser/contact-form-7-multi-step-addon/trunk/trx-contact-form-7-multi-step-addon.php

https://plugins.trac.wordpress.org/browser/simply-show-hooks/trunk/index.php

https://plugins.trac.wordpress.org/browser/social-warfare/tags/4.4.6.4/trunk/social-warfare.php#L54

https://plugins.trac.wordpress.org/browser/social-warfare/tags/4.4.6.4/trunk/social-warfare.php#L583

https://plugins.trac.wordpress.org/browser/wrapper-link-elementor/trunk/wrapper.php?rev=3106508

https://plugins.trac.wordpress.org/changeset/3105893/

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3106042%40social-warfare&new=3106042%40social-warfare&sfp_email=&sfph_mail=

https://wordpress.org/support/topic/a-security-message-from-the-plugin-review-team/

https://www.wordfence.com/threat-intel/vulnerabilities/id/56d24bc8-4a1a-4e60-aec5-960703a6058a?source=cve

https://www.wordfence.com/threat-intel/vulnerabilities/id/56d24bc8-4a1a-4e60-aec5-960703a6058a

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-6297

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6297

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6297

EUVD