Arbitrary Plugin Installation Vulnerability in Vayu Blocks for WordPress and WooCommerce
CVE-2024-10124

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Vayu Blocks – Gutenberg Blocks For WordPress & WooCommerce
Vendor: CVE Published:; 12 December 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

CVE-2024-10124 refers to a severe vulnerability within the Vayu Blocks plugin for WordPress and WooCommerce. This weakness stems from a missing capability check in the tp_install() function, found in all versions up to 1.1.1. The flaw allows unauthenticated attackers to install and activate arbitrary plugins on affected sites. If exploited, this can lead to remote code execution, particularly if other vulnerable plugins coexist on the site. While Vayu has partially mitigated this issue in version 1.1.1, it remains critical for users to update to the latest version and review their plugin installations to ensure security.

Affected Version(s)

Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce * <= 1.1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10124
Created by RandomRobbieBF

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/vayu-blocks/tr...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 13, 2024
👾
Exploit known to exist
Dec 13, 2024
Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Oct 18, 2024

Credit

Matthew Rollings