CVE-2024-6500 Overview
CVE-2024-6500 is a critical authorization bypass vulnerability affecting the InPost for WooCommerce and InPost PL plugins for WordPress. The vulnerability stems from a missing capability check on the parse_request function, allowing unauthenticated attackers to read and delete arbitrary files on affected servers. This vulnerability has different impact profiles depending on the server operating system—on Windows servers, attackers can read and delete arbitrary files across the entire system, while on Linux servers, file deletion is restricted to the WordPress installation directory, though all files remain readable.
Critical Impact
Unauthenticated attackers can read sensitive configuration files including wp-config.php containing database credentials, and potentially delete critical system or application files, leading to complete site compromise or denial of service.
Affected Products
- InPost for WooCommerce plugin versions up to and including 1.4.0
- InPost PL plugin versions up to and including 1.4.4
- WordPress installations running vulnerable plugin versions
Discovery Timeline
- August 17, 2024 - CVE-2024-6500 published to NVD
- August 19, 2024 - Last updated in NVD database
Technical Details for CVE-2024-6500
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), where the parse_request function in both affected plugins fails to implement proper capability checks before processing sensitive file operations. The function processes requests without verifying whether the requesting user has appropriate WordPress capabilities or permissions, effectively exposing file system operations to any unauthenticated visitor.
The vulnerability allows attackers to leverage the plugin's file handling functionality to read arbitrary files from the server. This is particularly dangerous as it enables extraction of wp-config.php, which contains database credentials, authentication salts, and potentially other sensitive configuration data. Additionally, the file deletion capability can be weaponized to remove critical WordPress files (such as wp-config.php itself), effectively taking down the site or forcing a fresh installation that an attacker could hijack.
The differential impact between Windows and Linux servers relates to how file path handling and permissions work on each operating system. Windows servers are more severely affected due to broader file system access, while Linux servers benefit from the restrictive permissions model that limits deletion to the WordPress directory.
Root Cause
The root cause is the absence of authorization checks in the parse_request function within the EasyPack_Helper.php file for InPost for WooCommerce and class-helper.php for InPost PL. The vulnerable code processes file-related parameters from incoming requests without first validating that the requester has administrative capabilities such as manage_options or other appropriate WordPress capabilities. This oversight allows unauthenticated users to invoke file read and delete operations that should be restricted to authorized administrators only.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can craft malicious HTTP requests targeting the vulnerable parse_request function endpoints. By manipulating request parameters, the attacker can specify arbitrary file paths for reading or deletion operations. The attack can be executed remotely against any accessible WordPress site running vulnerable versions of these plugins.
The vulnerability can be exploited through direct HTTP requests to the WordPress site. Attackers would identify installations using these plugins through reconnaissance techniques such as checking for plugin-specific assets or behaviors, then craft requests targeting the vulnerable function to extract sensitive files or cause service disruption through file deletion.
Detection Methods for CVE-2024-6500
Indicators of Compromise
- Unusual HTTP requests targeting InPost plugin endpoints with file path parameters containing directory traversal sequences (e.g., ../)
- Access log entries showing requests attempting to read sensitive files like wp-config.php, /etc/passwd, or Windows system files
- Unexpected file deletions within the WordPress installation directory or system-wide on Windows servers
- Error logs indicating file access attempts to paths outside normal plugin operations
Detection Strategies
- Monitor web server access logs for requests containing path traversal patterns (../, ..\\) directed at InPost plugin endpoints
- Implement Web Application Firewall (WAF) rules to detect and block requests with suspicious file path parameters
- Deploy file integrity monitoring (FIM) on critical WordPress files and system configuration files to detect unauthorized modifications or deletions
- Use WordPress security plugins capable of detecting unauthorized file access attempts
Monitoring Recommendations
- Enable verbose logging for the WordPress installation to capture detailed request information
- Configure alerts for file system changes to critical files including wp-config.php, .htaccess, and core WordPress files
- Monitor for unusual outbound traffic patterns that may indicate data exfiltration following file read operations
- Review server access logs regularly for reconnaissance patterns targeting plugin directories
How to Mitigate CVE-2024-6500
Immediate Actions Required
- Update InPost for WooCommerce to version 1.4.1 or later immediately
- Update InPost PL to version 1.4.5 or later immediately
- If immediate patching is not possible, deactivate the vulnerable plugins until updates can be applied
- Review server logs for signs of exploitation and assess potential data exposure
- Rotate database credentials and WordPress authentication salts if compromise is suspected
Patch Information
Security patches have been released by the plugin developers. The patches implement proper capability checks in the parse_request function to ensure only authorized administrators can perform file operations. The fix can be reviewed in the WordPress Repository Changeset for InPost for WooCommerce and the WordPress Repository Changeset for InPost PL. Additional details are available in the Wordfence Vulnerability Report.
Workarounds
- Deactivate and remove the affected plugins if they are not essential to site operations
- Implement Web Application Firewall rules to block requests containing path traversal sequences targeting plugin endpoints
- Restrict access to the WordPress admin and plugin directories via server configuration (e.g., IP whitelisting)
- Consider placing the site in maintenance mode if the plugins cannot be updated and are required for operations
# Example: Block suspicious requests in Apache .htaccess
# Add to WordPress root .htaccess file
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\.\\) [NC]
RewriteRule ^wp-content/plugins/inpost.* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
