CVE-2024-13742
📋 TL;DR
The iControlWP WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the reqpars parameter. This allows unauthenticated attackers to inject PHP objects, but exploitation requires a separate plugin or theme with a POP chain to achieve impact. All WordPress sites using iControlWP versions up to 4.4.5 are affected.
💻 Affected Systems
- iControlWP - Multiple WordPress Site Manager
📦 What is this software?
Icontrolwp by Icontrolwp
⚠️ Risk & Real-World Impact
Worst Case
If combined with a POP chain from another plugin/theme, attackers could execute arbitrary code, delete files, or steal sensitive data leading to complete site compromise.
Likely Case
Most sites will have no immediate impact unless they have vulnerable plugins/themes with POP chains installed, but the vulnerability creates a persistent attack surface.
If Mitigated
With proper plugin management and security controls, the risk is limited to sites with vulnerable POP chain components installed alongside iControlWP.
🎯 Exploit Status
Exploitation requires finding or developing a POP chain from other installed components. No known POP chain exists in iControlWP itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find iControlWP and click 'Update Now'. 4. Verify version is 4.4.6 or higher.
🔧 Temporary Workarounds
Disable iControlWP Plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate worpit-admin-dashboard-plugin
Web Application Firewall Rule
allBlock requests containing malicious serialized objects in reqpars parameter
🧯 If You Can't Patch
- Remove or disable the iControlWP plugin immediately
- Audit and remove any plugins/themes with known POP chains to reduce attack surface
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → iControlWP version. If version is 4.4.5 or lower, you are vulnerable.Check Version:
wp plugin get worpit-admin-dashboard-plugin --field=versionVerify Fix Applied:
After updating, verify iControlWP version shows 4.4.6 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing serialized PHP objects in reqpars parameter
- Unusual plugin activation/deactivation events
- Unexpected file modifications in wp-content/plugins/worpit-admin-dashboard-plugin
Network Indicators:
- POST requests to WordPress endpoints with reqpars parameter containing serialized data
- Traffic spikes to /wp-admin/admin-ajax.php or plugin-specific endpoints
SIEM Query:
source="wordpress" AND (uri_path="*admin-ajax.php*" OR uri_path="*wp-admin*" OR uri_path="*worpit*") AND http_method="POST" AND query_string="*reqpars*"🔗 References
- https://plugins.trac.wordpress.org/browser/worpit-admin-dashboard-plugin/tags/4.4.5/lib/src/LegacyApi/RequestParameters.php#L42
- https://plugins.trac.wordpress.org/browser/worpit-admin-dashboard-plugin/tags/4.4.5/src/api/RequestParameters.php#L14
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6f25b0cc-60ec-49a0-8356-fd3fba97e987?source=cve
