CVE-2024-13800
📋 TL;DR
The ConvertPlus WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to modify critical WordPress options. This can cause denial of service by creating site errors or enable unwanted features like registration. All WordPress sites using ConvertPlus versions up to 3.5.30 are affected.
💻 Affected Systems
- ConvertPlus WordPress Plugin
📦 What is this software?
Convertplus by Convertplug
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable the entire WordPress site by setting critical options to values that cause fatal errors, resulting in complete service disruption.
Likely Case
Attackers with subscriber accounts modify options to cause partial site errors or enable features like user registration against administrator intent.
If Mitigated
With proper access controls and monitoring, impact is limited to minor configuration changes that can be quickly reverted.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of WordPress option names to target. No public exploit code available at time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.5.31 or later
Vendor Advisory: https://www.convertplug.com/plus/product/convertplug/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ConvertPlus and click 'Update Now'. 4. Verify update to version 3.5.31 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable cp_dismiss_notice AJAX endpoint
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_cp_dismiss_notice', 'cp_dismiss_notice');
🧯 If You Can't Patch
- Restrict user registration and review existing subscriber accounts for suspicious activity
- Implement web application firewall rules to block requests to wp-admin/admin-ajax.php with cp_dismiss_notice action
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ConvertPlus version. If version is 3.5.30 or lower, system is vulnerable.Check Version:
wp plugin list --name=convertplus --field=versionVerify Fix Applied:
After update, confirm ConvertPlus version shows 3.5.31 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=cp_dismiss_notice from non-admin users
- WordPress option changes in wp_options table without corresponding admin actions
Network Indicators:
- HTTP POST requests to admin-ajax.php with cp_dismiss_notice parameter from unexpected IPs
SIEM Query:
source="web_access_logs" AND uri_path="/wp-admin/admin-ajax.php" AND post_data="action=cp_dismiss_notice" AND user_role!="administrator"