8.3
CVE-2024-9593
- EPSS 80.84%
- Veröffentlicht 18.10.2024 18:15:04
- Zuletzt bearbeitet 29.10.2024 13:40:23
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginTime Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Unauthenticated (Limited) Remote Code Execution
The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
Mögliche Gegenmaßnahme
Time Clock – A WordPress Employee & Volunteer Time Clock Plugin: Update to version 1.2.3, or a newer patched version
Time Clock Pro: Update to version 1.1.5, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Time Clock – A WordPress Employee & Volunteer Time Clock Plugin
Version
* - 1.2.2
SystemWordPress Plugin
≫
Produkt
Time Clock Pro
Version
* - 1.1.4
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wpplugin ≫ Time Clock SwEditionpro SwPlatformwordpress Version <= 1.1.4
Wpplugin ≫ Time Clock SwEdition- SwPlatformwordpress Version <= 1.2.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 80.84% | 0.991 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.3 | 3.9 | 3.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
|
| security@wordfence.com | 8.3 | 3.9 | 3.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.