CVE-2024-10002
📋 TL;DR
The Rover IDX WordPress plugin has an authentication bypass vulnerability that allows authenticated attackers with subscriber-level permissions or higher to gain administrator access. This affects versions up to and including 3.0.0.2905 due to insufficient validation in the 'rover_idx_refresh_social_callback' function. WordPress sites using vulnerable versions of this plugin are at risk.
💻 Affected Systems
- Rover IDX WordPress Plugin
📦 What is this software?
Rover Idx by Roveridx
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the WordPress site, enabling data theft, malware installation, site defacement, and complete compromise of the web server.
Likely Case
Attackers with subscriber accounts escalate to administrator privileges, potentially modifying content, installing malicious plugins, or stealing sensitive data.
If Mitigated
With proper access controls and monitoring, unauthorized administrative actions would be detected and blocked before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access (subscriber or higher). The vulnerability is well-documented with code references available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.0.2906
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3173032/rover-idx/trunk/rover-social-common.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Rover IDX plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.0.0.2906 from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Rover IDX Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate rover-idx
Restrict User Registration
allDisable new user registration to prevent attackers from obtaining subscriber accounts
Navigate to Settings → General in WordPress admin and uncheck 'Anyone can register'
🧯 If You Can't Patch
- Remove the Rover IDX plugin completely from your WordPress installation
- Implement strict monitoring of user privilege changes and administrative actions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Rover IDX version. If version is 3.0.0.2905 or earlier, you are vulnerable.Check Version:
wp plugin get rover-idx --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 3.0.0.2906 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unexpected user privilege escalation from subscriber to administrator
- Multiple failed login attempts followed by successful administrative actions from previously low-privilege accounts
- Access to /wp-admin/ from previously non-admin users
Network Indicators:
- Unusual POST requests to rover_idx_refresh_social_callback endpoint from non-admin users
- Increased administrative activity from new IP addresses
SIEM Query:
source="wordpress.log" AND ("rover_idx_refresh_social_callback" OR "user role changed" OR "subscriber to administrator")🔗 References
- https://plugins.trac.wordpress.org/browser/rover-idx/tags/3.0.0.2903/admin/rover-panel-social.php#L153
- https://plugins.trac.wordpress.org/browser/rover-idx/tags/3.0.0.2903/rover-social-common.php#L148
- https://plugins.trac.wordpress.org/changeset/3173032/rover-idx/trunk/rover-social-common.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5cf6a9fb-3c3b-48ad-a39b-77a529b89901?source=cve
