CVE-2024-10586
📋 TL;DR
The Debug Tool plugin for WordPress has a critical vulnerability that allows unauthenticated attackers to create arbitrary files, including PHP files, on affected websites. This can lead to remote code execution, giving attackers full control over the WordPress installation. All WordPress sites using Debug Tool version 2.2 or earlier are affected.
💻 Affected Systems
- WordPress Debug Tool plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the WordPress site with attacker gaining full administrative access, data theft, defacement, and potential lateral movement to other systems.
Likely Case
Attackers upload web shells to gain persistent access, install malware, steal sensitive data, or use the site for phishing campaigns.
If Mitigated
Attack attempts are logged and blocked by web application firewalls, with no successful exploitation.
🎯 Exploit Status
The vulnerability is trivial to exploit with publicly available proof-of-concept code. No authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.1
Vendor Advisory: https://plugins.trac.wordpress.org/browser/debug-tool/trunk/tools/image-puller.php#L120
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Debug Tool and update to version 2.2.1 or later. 4. If update is not available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable Debug Tool Plugin
allDeactivate the vulnerable plugin to prevent exploitation
wp plugin deactivate debug-tool
Web Application Firewall Rule
allBlock requests to the vulnerable dbt_pull_image() function
Add WAF rule to block POST requests containing 'dbt_pull_image' in URL or parameters
🧯 If You Can't Patch
- Immediately deactivate and remove the Debug Tool plugin from all WordPress installations
- Implement strict file upload restrictions and monitor for suspicious file creation in WordPress upload directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Debug Tool version 2.2 or earlierCheck Version:
wp plugin get debug-tool --field=versionVerify Fix Applied:
Verify Debug Tool plugin is updated to version 2.2.1 or later, or confirm plugin is removed📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=dbt_pull_image
- Unexpected file creation in wp-content/uploads/ directory
- PHP file creation by non-admin users
Network Indicators:
- HTTP POST requests containing 'dbt_pull_image' parameter
- Unusual file upload patterns to WordPress admin endpoints
SIEM Query:
source="web_logs" AND (url="*admin-ajax.php*" AND parameters="*dbt_pull_image*")