Description
The vulnerability lies in the recursive_unserialized_replace function of the UpdraftPlus plugin. Improper handling of deserialization allows attackers to inject a PHP object if additional plugins or themes containing a Property-Oriented Programming (POP) chain are installed. While no POP chain exists within UpdraftPlus itself, the exploitability depends on the presence of other vulnerable components.
Key Details:
- CVE Identifier: CVE-2024-10957
- Affected Versions: UpdraftPlus versions 1.23.8 to 1.24.11.
- Severity: High (CVSS score: 8.8).
- Conditions for Exploitation:
• An administrator must perform a search-and-replace action in the plugin.
• A vulnerable POP chain must be present in another installed plugin or theme.
Campaign Scenario
Initial Exploitation
- Malicious Input Injection:
- An attacker injects malicious data into the WordPress site, targeting the deserialization function of the plugin.
- Triggering the Exploit:
- The payload is triggered when an administrator executes a search-and-replace operation using UpdraftPlus.
Impact
- Delete Arbitrary Files: Critical website files may be erased, leading to functionality disruptions or downtime.
- Access Sensitive Data: Confidential information, such as database credentials or user data, could be exposed.
- Execute Arbitrary Code: The attacker gains control over the website, potentially using it for further attacks or malware distribution.
Affected Product or Versions
Vulnerable Versions
- UpdraftPlus Backup & Migration Plugin:
- Versions 1.23.8 through 1.24.11.
Patched Version
- Version 1.24.12 resolves this vulnerability.
Recommendations
- Update the Plugin:
- All users must update to UpdraftPlus version 1.24.12 or later to mitigate this vulnerability.
- Updates can be performed through the WordPress admin dashboard under Plugins > Installed Plugins or downloaded from the official WordPress repository.
- Audit Installed Plugins and Themes:
- Check for other plugins or themes containing POP chains, which could make the site susceptible to exploitation.
- Remove or update vulnerable components immediately.
- Restrict Access to Administrative Actions:
- Limit the ability to perform search-and-replace operations to trusted administrators only.
- Enhance Monitoring:
- Use security plugins to monitor suspicious activity and prevent malicious payloads from being injected.
- Backup Data Regularly:
- Ensure regular backups are in place to restore data in case of exploitation.
Protect your website from vulnerabilities like CVE-2024-10957 with Protergo’s advanced security solutions. Our expert team ensures your site stays secure, minimizing risks to your data and functionality. Learn more about our services here.
