Login Sign Up

CVE-2024-1175

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

The WP-Recall plugin for WordPress has a missing capability check that allows unauthenticated attackers to delete arbitrary payment records. This affects all WordPress sites using WP-Recall plugin versions up to and including 16.26.6. The vulnerability enables data destruction without authentication.

💻 Affected Systems

Products:
  • WP-Recall – Registration, Profile, Commerce & More WordPress plugin
Versions: All versions up to and including 16.26.6
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with vulnerable WP-Recall plugin versions are affected regardless of configuration.

📦 What is this software?

Wp Recall by Plechevandrey

View all CVEs affecting Wp Recall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of payment transaction records, financial data corruption, and potential business disruption if critical payment data is deleted.

🟠

Likely Case

Selective deletion of payment records causing accounting discrepancies, customer disputes, and operational confusion.

🟢

If Mitigated

Minimal impact if payment data is regularly backed up and the plugin is not internet-facing.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and minimal technical skill to exploit via crafted HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16.26.7 or later

Vendor Advisory: https://wordpress.org/plugins/wp-recall/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP-Recall plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 16.26.7+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable WP-Recall Plugin

all

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate wp-recall

Restrict Access via Web Application Firewall

all

Block requests to wp-recall plugin endpoints

# WAF rule to block /wp-content/plugins/wp-recall/*

🧯 If You Can't Patch

  • Implement regular database backups of payment tables
  • Restrict network access to WordPress admin interface using IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → WP-Recall version. If version is 16.26.6 or lower, system is vulnerable.

Check Version:

wp plugin get wp-recall --field=version

Verify Fix Applied:

Confirm WP-Recall plugin version is 16.26.7 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • HTTP POST requests to /wp-admin/admin-ajax.php with action=delete_payment
  • Unusual deletion events in payment database tables

Network Indicators:

  • Unusual traffic patterns to wp-recall plugin endpoints from unauthenticated sources

SIEM Query:

source="wordpress.log" AND "action=delete_payment" AND NOT user_authenticated=true

📊 Metadata

CVE ID: CVE-2024-1175
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-862
Published: June 6, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1175, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)