CVE-2024-12155
📋 TL;DR
The SV100 Companion WordPress plugin has a critical vulnerability that allows unauthenticated attackers to modify WordPress settings, including changing the default user registration role to administrator. This enables complete site takeover by registering new admin accounts. All WordPress sites using SV100 Companion version 2.0.02 or earlier are affected.
💻 Affected Systems
- SV100 Companion WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise with administrative access, data theft, malware injection, and defacement.
Likely Case
Attackers gain administrative access, install backdoors, steal sensitive data, and potentially compromise the entire server.
If Mitigated
Limited impact if user registration is disabled and proper network segmentation exists.
🎯 Exploit Status
Simple HTTP POST request to vulnerable endpoint. Public exploit code is available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.03 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/sv100-companion/trunk/lib/modules/sv_settings/sv_settings.php
Restart Required: No
Instructions:
1. Update SV100 Companion plugin to version 2.0.03 or later via WordPress admin panel. 2. Verify update completed successfully. 3. Test plugin functionality.
🔧 Temporary Workarounds
Disable User Registration
allPrevent attackers from creating new admin accounts by disabling user registration in WordPress settings.
Web Application Firewall Rule
allBlock requests to the vulnerable settings_import() function endpoint.
WAF rule to block POST requests to */wp-admin/admin-ajax.php with action=sv_settings_import
🧯 If You Can't Patch
- Immediately disable the SV100 Companion plugin via WordPress admin or by renaming plugin directory
- Implement strict network access controls to limit access to WordPress admin interface
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > SV100 Companion version. If version is 2.0.02 or earlier, you are vulnerable.Check Version:
wp plugin list --name=sv100-companion --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is 2.0.03 or later in WordPress admin panel. Test that settings import functionality still works for authenticated admins.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=sv_settings_import from unauthenticated IPs
- Sudden creation of new administrator accounts
- Changes to WordPress default_role setting
Network Indicators:
- Unusual POST requests to WordPress admin-ajax.php endpoint
- Traffic patterns showing new user registrations followed by admin actions
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="sv_settings_import" AND user="-"