Unauthorized Access to Arbitrary Files on Windows and Linux Servers via Missing Capability Check in InPost for WooCommerce Plugin
CVE-2024-6500
Summary
The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data, making it possible for attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read. The impact of successful exploitation can lead to the forced setup state of a website, allowing it to be connected to harmful databases and potentially leading to further system compromise. InPost PL users are recommended to apply the latest patch, while InPost for WooCommerce plugin users are encouraged to switch to InPost PL and remove the vulnerable plugin. No known exploitation by ransomware groups has been reported.
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
株式会社マキナレコードCVE-2024-6500WordPressの人気プラグインに重大な欠陥、1万超のWebサイトに攻撃リスク(CVE-2024-6500) | Codebook|Security News
WordPressの人気プラグインInPostシリーズに重大な欠陥が判明、1万超のWebサイトが攻撃リスクにさらされる(CVE-2024-6500)|OpenAI、米国大統領選挙を狙ったイランの影響力行使オペレーションを阻止
5 months ago
References
CVSS V3.1
Timeline
- 📰
First article discovered by 株式会社マキナレコード
Vulnerability published