CVE-2024-30485
📋 TL;DR
This CVE describes a Missing Authorization vulnerability in the Finale Lite WordPress plugin that allows authenticated users with subscriber-level permissions to install and activate arbitrary plugins. This affects all WordPress sites running Finale Lite versions up to 2.18.0. The vulnerability enables privilege escalation and potential remote code execution.
💻 Affected Systems
- Finale Lite - WooCommerce Sales Countdown Timer & Discount Plugin
📦 What is this software?
Finale by Xlplugins
⚠️ Risk & Real-World Impact
Worst Case
An attacker with subscriber access could install malicious plugins, gain administrative privileges, execute arbitrary code, and completely compromise the WordPress site and underlying server.
Likely Case
Attackers exploiting this would install backdoor plugins to maintain persistent access, steal sensitive data, or use the site for malicious activities like phishing or malware distribution.
If Mitigated
With proper authorization checks and least privilege principles, subscribers would be restricted to their intended permissions, preventing plugin installation capabilities.
🎯 Exploit Status
Exploitation requires subscriber-level authentication. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.19.0 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Finale Lite' and click 'Update Now'. 4. Alternatively, download version 2.19.0+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the Finale Lite plugin until patched to prevent exploitation
wp plugin deactivate finale-woocommerce-sales-countdown-timer-discount
Restrict User Registration
allTemporarily disable new user registration to prevent attackers from obtaining subscriber accounts
🧯 If You Can't Patch
- Remove the Finale Lite plugin completely and use alternative WooCommerce countdown solutions
- Implement web application firewall rules to block plugin installation requests from non-admin users
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Finale Lite version. If version is 2.18.0 or lower, you are vulnerable.Check Version:
wp plugin get finale-woocommerce-sales-countdown-timer-discount --field=versionVerify Fix Applied:
After updating, verify Finale Lite version is 2.19.0 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- WordPress logs showing plugin installation/activation by non-admin users
- HTTP POST requests to /wp-admin/update.php or plugin installation endpoints from subscriber accounts
Network Indicators:
- Unusual plugin installation traffic patterns
- Requests to plugin repositories from non-admin IPs
SIEM Query:
source="wordpress.log" AND ("plugin installed" OR "plugin activated") AND user_role="subscriber"🔗 References
- https://patchstack.com/database/vulnerability/finale-woocommerce-sales-countdown-timer-discount/wordpress-finale-lite-plugin-2-18-0-subscriber-arbitrary-plugin-installation-activation-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/finale-woocommerce-sales-countdown-timer-discount/wordpress-finale-lite-plugin-2-18-0-subscriber-arbitrary-plugin-installation-activation-vulnerability?_s_id=cve
