Unauthorized Plugin Installation Vulnerability Affects PostX Plugin for WordPress
CVE-2024-10728

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Post Grid Gutenberg Blocks And WordPress Blog Plugin – Postx
Vendor: CVE Published:; 16 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Post Grid Gutenberg Blocks and PostX plugin for WordPress suffers from a security flaw that allows authenticated users with Subscriber-level access and above to install and activate arbitrary plugins. This vulnerability arises from a missing capability check in the 'install_required_plugin_callback' function across all versions up to 4.1.16. If another vulnerable plugin is already present, the unauthorized installation could lead to remote code execution, severely compromising the security of affected WordPress installations.

Affected Version(s)

Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX * <= 4.1.16

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10728
Created by RandomRobbieBF

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ultimate-post/...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 16, 2024
👾
Exploit known to exist
Nov 16, 2024
Vulnerability published
Nov 16, 2024
Vulnerability Reserved
Nov 2, 2024

Credit

Sean Murphy