CVE-2024-8512

The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/w3speedster-wp/trunk/w3speedster.php#L740
https://plugins.trac.wordpress.org/changeset/3175640/
https://www.wordfence.com/threat-intel/vulnerabilities/id/2a56eb63-ba5c-4452-8ab9-f5aeaf53adda?source=cve

Configurations

No configuration.

History

01 Nov 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) El complemento W3SPEEDSTER para WordPress es vulnerable a la ejecución remota de código en todas las versiones hasta la 7.26 incluida a través del parámetro 'script' de la función hookBeforeStartOptimization(). Esto se debe a que el complemento pasa la información proporcionada por el usuario a eval(). Esto permite que atacantes autenticados, con acceso de nivel de administrador o superior, ejecuten código en el servidor.

30 Oct 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-30 11:15

Updated : 2024-11-01 12:57

NVD link : CVE-2024-8512

Mitre link : CVE-2024-8512

CVE.ORG link : CVE-2024-8512

JSON object : View

Products Affected

No product.

CWE

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

9.1 /10