CVE-2021-29504
📋 TL;DR
This vulnerability in WP-CLI allows attackers who can intercept network traffic to disable TLS certificate verification, enabling man-in-the-middle attacks. Attackers could impersonate update servers and push malicious updates to WordPress installations or WP-CLI itself. Affects WP-CLI versions 0.12.0 through 2.4.0.
💻 Affected Systems
- WP-CLI (WordPress Command Line Interface)
📦 What is this software?
Wp Cli by Wp Cli
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control over WP-CLI communications, push malicious WordPress updates to compromise entire sites, and potentially achieve remote code execution on affected systems.
Likely Case
Attackers intercept communications to push malicious updates, compromise WordPress installations, and potentially steal credentials or install backdoors.
If Mitigated
With proper network segmentation and certificate validation, impact is limited to potential denial of service from failed TLS connections.
🎯 Exploit Status
Exploitation requires network interception capability (man-in-the-middle position). No authentication needed as it exploits default error handling behavior.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.0
Vendor Advisory: https://github.com/wp-cli/wp-cli/pull/5523
Restart Required: No
Instructions:
1. Update WP-CLI to version 2.5.0 or later using: wp cli update --stable
2. Verify update with: wp --version
3. Test that WP-CLI commands still work with your environment's certificate configuration.
🔧 Temporary Workarounds
Use --insecure flag for affected commands
allFor versions 2.5.0+, explicitly opt-in to insecure behavior when needed for compatibility
wp cli update --insecure
wp core update --insecure
🧯 If You Can't Patch
- Avoid using WP-CLI on untrusted networks where traffic interception is possible
- Implement network monitoring for unexpected certificate validation failures or unusual update requests
🔍 How to Verify
Check if Vulnerable:
Run: wp --version. If version is between 0.12.0 and 2.4.0 inclusive, system is vulnerable.Check Version:
wp --versionVerify Fix Applied:
Run: wp --version. If version is 2.5.0 or higher, the fix is applied. Test with: wp cli check-update to verify secure connections work.📡 Detection & Monitoring
Log Indicators:
- Multiple TLS handshake failures followed by successful connections without certificate validation
- Unexpected update requests or sources in WP-CLI logs
Network Indicators:
- Unencrypted HTTP traffic from WP-CLI where HTTPS was expected
- Connections to unusual update server addresses
SIEM Query:
Search for 'certificate verification failed' or 'TLS handshake error' in WP-CLI logs followed by successful connections🔗 References
- https://github.com/wp-cli/checksum-command/pull/86
- https://github.com/wp-cli/config-command/pull/128
- https://github.com/wp-cli/core-command/pull/186
- https://github.com/wp-cli/extension-command/pull/287
- https://github.com/wp-cli/package-command/pull/138
- https://github.com/wp-cli/wp-cli/pull/5523
- https://github.com/wp-cli/wp-cli/security/advisories/GHSA-rwgm-f83r-v3qj
- https://github.com/wp-cli/checksum-command/pull/86
- https://github.com/wp-cli/config-command/pull/128
- https://github.com/wp-cli/core-command/pull/186
- https://github.com/wp-cli/extension-command/pull/287
- https://github.com/wp-cli/package-command/pull/138
- https://github.com/wp-cli/wp-cli/pull/5523
- https://github.com/wp-cli/wp-cli/security/advisories/GHSA-rwgm-f83r-v3qj
