CVE-2024-1955
📋 TL;DR
The Hide Dashboard Notifications WordPress plugin has a missing capability check vulnerability that allows authenticated users with contributor-level access or higher to modify plugin settings. This affects all versions up to and including 1.3. Attackers can change plugin configuration without proper authorization.
💻 Affected Systems
- Hide Dashboard Notifications WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could disable security notifications, hide malicious activity, or reconfigure the plugin to facilitate further attacks while evading detection.
Likely Case
Malicious contributors or compromised accounts modify plugin settings to hide their activities or disrupt normal WordPress dashboard functionality.
If Mitigated
With proper user access controls and monitoring, impact is limited to unauthorized setting changes that can be detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.3
Vendor Advisory: https://plugins.trac.wordpress.org/browser/wp-hide-backed-notices
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Hide Dashboard Notifications'
4. Click 'Update Now' if available
5. If no update available, deactivate and delete the plugin
6. Install the latest version from WordPress repository
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily restrict contributor-level users from accessing the WordPress site until patching is complete.
Disable Plugin
allDeactivate the vulnerable plugin to prevent exploitation while maintaining site functionality.
🧯 If You Can't Patch
- Implement strict user access controls and monitor contributor-level accounts
- Add WordPress security plugins that detect unauthorized setting changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Hide Dashboard Notifications' version 1.3 or earlierCheck Version:
wp plugin list --name='hide-dashboard-notifications' --field=versionVerify Fix Applied:
Confirm plugin version is higher than 1.3 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to plugin settings endpoints
- Unexpected changes to plugin configuration
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with plugin-specific actions
SIEM Query:
source="wordpress.log" AND ("warning_notices_settings" OR "hide-dashboard-notifications") AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/wp-hide-backed-notices/tags/1.3/admin/class-wp-hide-backed-notices-admin.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3104675%40wp-hide-backed-notices&new=3104675%40wp-hide-backed-notices&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d4655236-7dfe-40ae-9d0c-6eacc59af13d?source=cve
- https://plugins.trac.wordpress.org/browser/wp-hide-backed-notices/tags/1.3/admin/class-wp-hide-backed-notices-admin.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3104675%40wp-hide-backed-notices&new=3104675%40wp-hide-backed-notices&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d4655236-7dfe-40ae-9d0c-6eacc59af13d?source=cve
