CVE-2024-12825
📋 TL;DR
The Custom Related Posts WordPress plugin has a missing capability check vulnerability that allows authenticated users with Subscriber-level access or higher to search posts and modify post relationships without proper authorization. This affects all versions up to and including 1.7.3. Attackers can link/unlink related posts and access search functionality they shouldn't have permission to use.
💻 Affected Systems
- Custom Related Posts WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could manipulate post relationships to create misleading content connections, damage site credibility, or create SEO spam links between unrelated content.
Likely Case
Low-privileged users can modify post relationships without authorization, potentially creating inappropriate content associations or disrupting editorial workflows.
If Mitigated
With proper user access controls and monitoring, impact is limited to minor content manipulation that can be detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated access but only needs Subscriber-level permissions. The vulnerability is in AJAX endpoints that lack proper capability checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Custom Related Posts' plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 1.7.4+ from WordPress plugin repository
6. Deactivate and delete old version
7. Upload and activate new version
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allRemove or restrict access to the vulnerable AJAX actions by modifying WordPress functions.php or using a security plugin
Add to theme's functions.php or custom plugin:
add_action('admin_init', function() {
remove_action('wp_ajax_crp_search_posts', 'crp_ajax_search_posts');
remove_action('wp_ajax_crp_link_relation', 'crp_ajax_link_relation');
remove_action('wp_ajax_crp_unlink_relation', 'crp_ajax_unlink_relation');
});
Restrict user capabilities
allTemporarily limit Subscriber role capabilities or implement additional access controls
Using a role management plugin like 'User Role Editor' or add to functions.php:
add_action('init', function() {
$subscriber = get_role('subscriber');
if ($subscriber) {
$subscriber->remove_cap('read');
// Or use custom capability restrictions
}
});
🧯 If You Can't Patch
- Deactivate the Custom Related Posts plugin completely until patched
- Implement strict monitoring of user activities and post relationship changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Custom Related Posts version. If version is 1.7.3 or lower, you are vulnerable.Check Version:
wp plugin list --name='custom-related-posts' --field=version (WP-CLI) or check WordPress admin interfaceVerify Fix Applied:
After updating, verify plugin version shows 1.7.4 or higher in WordPress admin panel. Test with Subscriber account that AJAX actions now return permission errors.📡 Detection & Monitoring
Log Indicators:
- Multiple AJAX requests to /wp-admin/admin-ajax.php with action parameters: crp_search_posts, crp_link_relation, crp_unlink_relation from low-privilege users
- Unexpected post relationship changes in database or audit logs
Network Indicators:
- POST requests to admin-ajax.php with vulnerable action parameters from unauthorized user roles
SIEM Query:
source="wordpress_logs" AND (action="crp_search_posts" OR action="crp_link_relation" OR action="crp_unlink_relation") AND user_role="subscriber"