CVE-2024-6220: Keydatas WordPress Plugin RCE Vulnerability

CVE-2024-6220 Overview

CVE-2024-6220 is a critical arbitrary file upload vulnerability affecting the 简数采集器 (Keydatas) plugin for WordPress. The vulnerability exists due to missing file type validation in the keydatas_downloadImages function across all versions up to and including 2.5.2. This security flaw enables unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution.

Critical Impact

Unauthenticated attackers can upload malicious files including PHP web shells, enabling complete server compromise and remote code execution without any authentication.

Affected Products

• Keydatas WordPress Plugin versions up to and including 2.5.2
• WordPress installations with the Keydatas (简数采集器) plugin active
• All WordPress sites using vulnerable versions of the keydatas plugin

Discovery Timeline

• 2024-07-17 - CVE-2024-6220 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-6220

Vulnerability Analysis

This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The root issue lies in the keydatas_downloadImages function which fails to implement proper file type validation before accepting uploaded files. Without these security controls, the function accepts any file type, including executable server-side scripts.

The vulnerability is particularly severe because it requires no authentication to exploit. Attackers can directly interact with the vulnerable function through network-accessible endpoints, upload malicious PHP files, and subsequently execute arbitrary code on the web server. This attack chain can lead to complete server compromise, data theft, website defacement, or the establishment of persistent backdoors.

Root Cause

The vulnerability stems from the absence of file type validation within the keydatas_downloadImages function. Proper security implementation would require checking file extensions against an allowlist of permitted types (such as image formats), validating MIME types, and potentially scanning file contents to ensure they match expected formats. The current implementation bypasses all these security measures, accepting any file regardless of its type or content.

Attack Vector

The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker identifies a WordPress site running a vulnerable version of the Keydatas plugin and crafts a malicious request to the keydatas_downloadImages function. The request includes a malicious file payload, typically a PHP web shell or backdoor script. Due to the missing validation, the server accepts and stores the file in an accessible location. The attacker then accesses the uploaded file via its URL path to execute arbitrary commands on the server.

The vulnerability mechanism involves sending a crafted HTTP request to the WordPress installation that triggers the keydatas_downloadImages function. Without file type validation, the function processes and stores malicious payloads directly to the server's file system. For detailed technical analysis, see the Wordfence Vulnerability Analysis.

Detection Methods for CVE-2024-6220

Indicators of Compromise

• Unexpected PHP files in WordPress upload directories or plugin folders
• Web server logs showing POST requests to Keydatas plugin endpoints with suspicious file uploads
• Newly created files with recent timestamps in web-accessible directories containing obfuscated or encoded content
• Outbound connections from the web server to unknown external IP addresses

Detection Strategies

• Monitor WordPress upload directories for creation of new PHP or executable files
• Review web server access logs for requests to /wp-content/plugins/keydatas/ with large POST bodies
• Implement Web Application Firewall (WAF) rules to block file upload attempts containing PHP content
• Scan for known web shell signatures in uploaded content

Monitoring Recommendations

• Enable file integrity monitoring on WordPress installation directories
• Configure alerts for new file creation events in plugin and upload directories
• Implement real-time log analysis for suspicious HTTP request patterns targeting the Keydatas plugin
• Deploy endpoint detection solutions to identify post-exploitation activities

How to Mitigate CVE-2024-6220

Immediate Actions Required

• Immediately deactivate and remove the Keydatas plugin if running version 2.5.2 or earlier
• Audit the WordPress installation for any suspicious files that may have been uploaded
• Review web server logs for evidence of exploitation attempts
• Consider restoring from a known-clean backup if compromise is suspected

Patch Information

Users should update to a patched version of the Keydatas plugin if one becomes available. Check the WordPress Plugin Source Code for the latest version information. If no patched version is available, the plugin should remain deactivated until a security fix is released.

Workarounds

• Deactivate the Keydatas plugin entirely until a security patch is released
• Implement WAF rules to block requests to Keydatas plugin endpoints
• Restrict access to WordPress admin and plugin directories using web server configuration
• Deploy file upload validation at the web server level to reject potentially dangerous file types

# Apache configuration to block PHP execution in uploads directory
<Directory "/var/www/html/wp-content/uploads">
    <FilesMatch "\.php$">
        Require all denied
    </FilesMatch>
</Directory>