Arbitrary Function Execution Through Setting Import
CVE-2024-9529

Currently unrated

Key Information:

Vendor: Wordpress
Status: Secure Custom Fields; Advanced Custom Fields Pro
Vendor: CVE Published:; 15 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-9529?

The Secure Custom Fields and Advanced Custom Fields Pro plugins for WordPress exhibit a significant vulnerability that enables high privilege users, particularly administrators, to execute arbitrary PHP functions through the plugins' setting import functionalities. This oversight allows for potential exploitation, where unauthorized actions can be initiated, raising considerable security concerns for users utilizing these plugins.

Affected Version(s)

Advanced Custom Fields Pro 0 < 6.3.9

Secure Custom Fields 6.3.7 < 6.3.9

Secure Custom Fields 0 < 6.3.6.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9529 - Proof of Concept

References

https://wpscan.com/vulnerability/dd3cc8d8-4dff-47f9-b036-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 15, 2024
👾
Exploit known to exist
Nov 15, 2024
Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Oct 4, 2024

Credit

Automattic Security Team

WPScan

Wordpress