CVE-2024-32836
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files, including malicious scripts, to WordPress sites running the vulnerable WP-Lister Lite for eBay plugin. Attackers can achieve remote code execution, compromising the entire website. All WordPress sites using affected plugin versions are at risk.
💻 Affected Systems
- WP-Lister Lite for eBay WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover, data theft, malware distribution, and server compromise leading to lateral movement within the hosting environment.
Likely Case
Website defacement, backdoor installation, credential theft, and use as a malware distribution platform.
If Mitigated
Limited impact if file execution restrictions are in place, but still allows DoS through disk space exhaustion.
🎯 Exploit Status
Simple HTTP POST request with malicious file upload. Public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.12 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/wp-lister-for-ebay/wordpress-wp-lister-lite-for-ebay-plugin-3-5-11-arbitrary-file-upload-vulnerability
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find WP-Lister Lite for eBay. 4. Click 'Update Now' if available. 5. Alternatively, delete and reinstall latest version from WordPress repository.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate WP-Lister Lite for eBay until patched
wp plugin deactivate wp-lister-for-ebay
Restrict file uploads via .htaccess
linuxBlock PHP file execution in uploads directory
<FilesMatch "\.(php|php5|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove plugin entirely and use alternative eBay listing solution
- Implement web application firewall (WAF) rules to block file uploads to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → WP-Lister Lite for eBay version. If version ≤ 3.5.11, vulnerable.Check Version:
wp plugin get wp-lister-for-ebay --field=versionVerify Fix Applied:
Confirm plugin version is 3.5.12 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/plugins/wp-lister-for-ebay/ with file uploads
- Unexpected .php files in upload directories
- Web server errors related to file upload restrictions
Network Indicators:
- Unusual file upload traffic to WordPress paths
- POST requests with multipart/form-data to plugin endpoints
SIEM Query:
source="web_logs" AND (uri_path="/wp-content/plugins/wp-lister-for-ebay/" AND method="POST" AND content_type="multipart/form-data")🔗 References
- https://patchstack.com/database/vulnerability/wp-lister-for-ebay/wordpress-wp-lister-lite-for-ebay-plugin-3-5-11-arbitrary-file-upload-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/wp-lister-for-ebay/wordpress-wp-lister-lite-for-ebay-plugin-3-5-11-arbitrary-file-upload-vulnerability?_s_id=cve
