CVE-2024-10533 – The WP Chat App WordPress plugin allows authent... (How to Fix)

Q: What is the severity of CVE-2024-10533?

CVE-2024-10533 has a CVSS score of 4.3 (MEDIUM). The WP Chat App WordPress plugin allows authenticated attackers with Subscriber-level access or higher to install the filebird plugin without proper authorization. This vulnerability exists due to a missing capability check in the ajax_install_plugin() function. All WordPress sites using WP Chat App version 3.6.8 or earlier are affected.

📋 TL;DR

The WP Chat App WordPress plugin allows authenticated attackers with Subscriber-level access or higher to install the filebird plugin without proper authorization. This vulnerability exists due to a missing capability check in the ajax_install_plugin() function. All WordPress sites using WP Chat App version 3.6.8 or earlier are affected.

💻 Affected Systems

Products:

WP Chat App WordPress Plugin

Versions: All versions up to and including 3.6.8

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WP Chat App plugin enabled and at least one authenticated user with Subscriber role or higher.

📦 What is this software?

Wp Chat App by Ninjateam

View all CVEs affecting Wp Chat App →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could install malicious plugins that provide backdoor access, execute arbitrary code, or compromise the entire WordPress installation.

🟠

Likely Case

Attackers install the filebird plugin to gain additional functionality or prepare for further attacks, potentially leading to data theft or site defacement.

🟢

If Mitigated

With proper user role management and security controls, impact is limited to authorized users who shouldn't have plugin installation privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once an attacker has valid credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.9 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3186930/wp-whatsapp/trunk/includes/Cross.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Chat App and update to version 3.6.9 or later. 4. Alternatively, deactivate and delete the plugin if not needed.

🔧 Temporary Workarounds

Remove vulnerable plugin

all

Deactivate and delete the WP Chat App plugin if not essential for site functionality.

Restrict user roles

all

Limit Subscriber role users or implement additional authentication controls.

🧯 If You Can't Patch

Disable the WP Chat App plugin immediately.
Implement web application firewall rules to block requests to the vulnerable ajax_install_plugin() function.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Chat App version 3.6.8 or earlier.

Check Version:

wp plugin list --name='wp-whatsapp' --field=version

Verify Fix Applied:

Confirm WP Chat App is updated to version 3.6.9 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-admin/admin-ajax.php with action=install_plugin
Unexpected plugin installation events in WordPress logs
Filebird plugin appearing without administrator action

Network Indicators:

HTTP POST requests containing 'action=install_plugin' parameter
Unusual plugin installation traffic from non-admin users

SIEM Query:

source="wordpress.log" AND "action=install_plugin" AND NOT user_role="administrator"

📊 Metadata

CVE ID: CVE-2024-10533

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: November 16, 2024

Last Updated: February 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10533, you might also want to check these: