WordPress Plugins Injected Backdoor Vulnerability Impacts Multiple (CVE-2024-6297)

Multiple WordPress plugins are vulnerable to a critical severity vulnerability tracked as CVE-2024-6297. The vulnerability is given a CVSS score of 10. The vulnerability impacts 13 plugins.

WordPress plugins hosted on WordPress.org have been hijacked, as malicious PHP scripts have been injected into them. As per the WordPress advisory, “A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious administrator users and send that data back to a server.”

Affected versions

  • WPCOM Member version
    • 1.3.15 – 1.3.15
    • 1.3.16 – 1.3.16
  • Twenty20 Image Before-After versions
    • 1.5.4 – 1.5.4
    • 1.6.2 – 1.6.2
    • 1.6.3 – 1.6.3
  • Britetechs Companion version 2.2.7
  • SEO Optimized Images version 2.1.2
  • WP Server Health Stats versions 1.7.6
  • Simply Show Hooks version 1.2.1 to 1.2.2
  • BLAZE Retail Widget version 2.2.5 to 2.5.2
  • Ad Invalid Click Protector (AICP) version 1.2.9
  • Wrapper Link Elementor version 1.0.2 to 1.0.3
  • Pods – Custom Content Types and Fields versions 3.2.3
  • Contact Form 7 Multi-Step Addon version 1.0.4 to 1.0.5
  • Social Sharing Plugin – Social Warfare version 4.4.6.4 to 4.4.7.1
  • PowerPress Podcasting plugin by Blubrry versions 11.9.3 to 11.9.4

Mitigation

  • WPCOM Member version 1.3.14
  • BLAZE Retail Widget version 2.5.4
  • Seo Optimized Images version 2.1.4
  • Britetechs Companion version 2.2.8
  • WP Server Health Stats versions 1.7.8
  • Wrapper Link Elementor version 1.0.5
  • Twenty20 Image Before-After version 1.6.4
  • Ad Invalid Click Protector (AICP) version 1.2.11
  • Contact Form 7 Multi-Step Addon version 1.0.7
  • Social Sharing Plugin – Social Warfare version 4.4.7.3
  • Pods – Custom Content Types and Fields version 3.2.2
  • PowerPress Podcasting plugin by Blubrry version 11.9.6

NOTE: WordPress has not released patches for the Simply Show Hooks plugin.

Qualys Detection

Qualys customers can scan their devices with QID 731607 to detect vulnerable assets.

Qualys customers will be able to detect if their servers are vulnerable by launching a Qualys (WAS, VM) scan.

The QIDs that will be reported for the vulnerable servers are:

  • 152004: WordPress Ad Invalid Click Protector(AICP) Plugin: Injected Backdoor Vulnerability (CVE-2024-6297)
  • 152006: WordPress Blaze-Widget Plugin: Injected Backdoor Vulnerability (CVE-2024-6297)
  • 152007: WordPress Britetechs Companion Plugin: Injected Backdoor Vulnerability (CVE-2024-6297)
  • 152014: WordPress Contact Form 7 Multi-Step Addon Plugin: Injected Backdoor Vulnerability (CVE-2024-6297)
  • 152015: WordPress Pods Plugin: Injected Backdoor Vulnerability (CVE-2024-6297)
  • 152016: WordPress PowerPress Podcasting Plugin: Injected Backdoor Vulnerability (CVE-2024-6297)
  • 152018: WordPress Seo Optimized Images Plugin: Injected Backdoor Vulnerability (CVE-2024-6297)
  • 152021: WordPress Simply Show Hooks Plugin: Injected Backdoor Vulnerability (CVE-2024-6297)

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References

https://www.wordfence.com/threat-intel/vulnerabilities/detail/several-wordpressorg-plugins-various-versions-injected-backdoor

1 thought on “WordPress Plugins Injected Backdoor Vulnerability Impacts Multiple (CVE-2024-6297)”

Leave a Reply

Your email address will not be published. Required fields are marked *