2025-01-09 13:52:06 Pacfic
WordPress Plugin Vulnerability Exposes Millions - 1d
A critical vulnerability has been discovered in the popular UpdraftPlus: WP Backup & Migration Plugin, impacting over 3 million WordPress websites. This security flaw, identified as CVE-2024-10957, allows unauthenticated attackers to exploit a PHP Object Injection vulnerability through deserialization of untrusted input. The issue affects all versions of the plugin up to and including 1.24.11, with a patch released in version 1.24.12. The vulnerability has a high-risk CVSS score of 8.8 and could lead to severe consequences such as unauthorized file deletions, retrieval of sensitive user data, and even remote code execution. The exploit is triggered when an administrator performs a search and replace action within the plugin.
Website administrators using the UpdraftPlus plugin are urged to take immediate action and update to version 1.24.12 or later. It is essential for all WordPress users to review their installations, including all active plugins, to ensure they are updated with the latest versions. The ease of updating plugins via the WordPress dashboard reduces the window for potential attacks, and it is critical to stay informed about vulnerabilities like CVE-2024-10957 to prevent severe breaches. While no known proof of concept exists in the plugin itself, the existence of additional vulnerabilities in plugins and themes can escalate the risk.
ImgSrc: blogger.googleusercontent.com
References:
- gbhackers.com - WordPress Plugin Vulnerability Exposes 3 Million Websites to Injection Attacks - 1d
- securityonline.info - CVE-2024-10957 Exposes Over 3 Million WordPress Sites to Unauthenticated PHP Object Injection Exploits - 1d
Classification:
- HashTags: WordPress PluginVulnerability PHPInjection
- Company: WordPress
- Target: WordPress Websites
- Product: WordPress
- Feature: injection attacks
- Type: Vulnerability
- Severity: Major