CVE-2024-1385
📋 TL;DR
The WP-Stateless plugin for WordPress has a missing capability check that allows authenticated users with subscriber-level access or higher to update arbitrary option values to the current time. This can cause complete site outages by disrupting critical WordPress settings. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WP-Stateless - Google Cloud Storage WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site takedown through manipulation of critical WordPress options, potentially requiring database restoration to recover.
Likely Case
Site instability or downtime through modification of WordPress settings, requiring administrator intervention to restore proper configuration.
If Mitigated
No impact if proper access controls prevent subscriber-level users from accessing admin functions or if plugin is patched.
🎯 Exploit Status
Exploitation requires authenticated access but only subscriber-level privileges. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035169%40wp-stateless&new=3035169%40wp-stateless
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP-Stateless plugin. 4. Click 'Update Now' if available, or manually update to version 3.4.1 or later. 5. Verify plugin is active and functioning.
🔧 Temporary Workarounds
Disable WP-Stateless Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate wp-stateless
Restrict User Registration
allDisable new user registration to prevent creation of subscriber accounts
Navigate to Settings → General in WordPress admin and uncheck 'Anyone can register'
🧯 If You Can't Patch
- Remove subscriber role from all non-essential users and restrict user registration
- Implement web application firewall rules to block suspicious option update requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WP-Stateless version. If version is 3.4.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=wp-stateless --field=versionVerify Fix Applied:
Verify WP-Stateless plugin version is 3.4.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual option updates from non-admin users
- Multiple option modification requests from subscriber accounts
- Site configuration changes from low-privilege users
Network Indicators:
- POST requests to wp-admin/admin-ajax.php with action=dismiss_notices from non-admin users
- Unexpected option parameter modifications
SIEM Query:
source="wordpress_logs" AND (action="dismiss_notices" OR option_update) AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035169%40wp-stateless&new=3035169%40wp-stateless&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9a475017-ef45-4614-bdc6-ddd619b8caf3?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3035169%40wp-stateless&new=3035169%40wp-stateless&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9a475017-ef45-4614-bdc6-ddd619b8caf3?source=cve
