Arbitrary Plugin Installation Vulnerability in Vayu Blocks for WordPress and WooCommerce
CVE-2024-10124
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 12 December 2024
Badges
What is CVE-2024-10124?
CVE-2024-10124 refers to a severe vulnerability within the Vayu Blocks plugin for WordPress and WooCommerce. This weakness stems from a missing capability check in the tp_install() function, found in all versions up to 1.1.1. The flaw allows unauthenticated attackers to install and activate arbitrary plugins on affected sites. If exploited, this can lead to remote code execution, particularly if other vulnerable plugins coexist on the site. While Vayu has partially mitigated this issue in version 1.1.1, it remains critical for users to update to the latest version and review their plugin installations to ensure security.
Affected Version(s)
Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce * <= 1.1.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
75% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved