Overview

WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute code remotely or retrieve sensitive data.

Description

WordPress plugins gutenkit-blocks-addon, hunk-companion, pedalo-connector are affected by the vulnerabilities tracked as CVE-2024-9234, CVE-2024-9707, CVE-2024-9822 with CVSS scores of 9.8 each. The plugins are vulnerable due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint), a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint, and insufficient restriction on the 'login_admin_user' function. The vulnerabilities allow unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution.

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gutenkit-blocks-addon/gutenkit-210-unauthenticated-arbitrary-file-upload
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hunk-companion/hunk-companion-184-missing-authorization-to-unauthenticated-arbitrary-plugin-installationactivation
• 3. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pedalo-connector/pedalo-connector-205-authentication-bypass-to-administrator