CVE-2024-22144
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform predictable nonce brute-force attacks leading to remote code execution (RCE) in the GotMLS WordPress plugin. It affects all versions up to 4.21.96 of the Anti-Malware Security and Brute-Force Firewall plugin. Attackers can inject and execute arbitrary code on vulnerable WordPress installations.
💻 Affected Systems
- WordPress Anti-Malware Security and Brute-Force Firewall (GotMLS)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, install backdoors, steal data, deface websites, or pivot to other systems.
Likely Case
Website defacement, malware injection, credential theft, and unauthorized administrative access to WordPress sites.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and intrusion detection systems in place.
🎯 Exploit Status
Exploitation involves brute-forcing predictable nonces, which can be automated. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.21.97 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'Anti-Malware Security and Brute-Force Firewall'. 4. Click 'Update Now' or manually update to version 4.21.97+. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate gotmls
Web Application Firewall Rules
allBlock requests to vulnerable plugin endpoints
# Add WAF rules to block requests to /wp-content/plugins/gotmls/
🧯 If You Can't Patch
- Remove the GotMLS plugin completely from WordPress installation
- Implement strict network segmentation and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Anti-Malware Security and Brute-Force Firewall versionCheck Version:
wp plugin get gotmls --field=versionVerify Fix Applied:
Verify plugin version is 4.21.97 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Multiple failed requests to /wp-content/plugins/gotmls/ endpoints
- Unusual POST requests with code injection patterns
- Sudden increase in admin user creation or privilege escalation
Network Indicators:
- Brute-force patterns to plugin endpoints
- Unexpected outbound connections from WordPress server
- HTTP requests with base64 encoded payloads
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-content/plugins/gotmls/" OR plugin="gotmls") AND (status=200 OR status=500) | stats count by src_ip🔗 References
- https://patchstack.com/articles/critical-vulnerability-found-in-gotmls-plugin?_s_id=cve
- https://patchstack.com/database/vulnerability/gotmls/wordpress-anti-malware-security-and-brute-force-firewall-plugin-4-21-96-unauthenticated-predictable-nonce-brute-force-leading-to-rce-vulnerability?_s_id=cve
- https://sec.stealthcopter.com/cve-2024-22144/
- https://patchstack.com/articles/critical-vulnerability-found-in-gotmls-plugin?_s_id=cve
- https://patchstack.com/database/vulnerability/gotmls/wordpress-anti-malware-security-and-brute-force-firewall-plugin-4-21-96-unauthenticated-predictable-nonce-brute-force-leading-to-rce-vulnerability?_s_id=cve
- https://sec.stealthcopter.com/cve-2024-22144/
