CVE-2024-3561 – The Custom Field Suite WordPress plugin contain... (How to Fix)

Q: What is the severity of CVE-2024-3561?

CVE-2024-3561 has a CVSS score of 8.8 (HIGH). The Custom Field Suite WordPress plugin contains a SQL injection vulnerability in the 'Term' custom field. Authenticated attackers with contributor-level access or higher can exploit this to extract sensitive database information. All WordPress sites using this plugin up to version 2.6.7 are affected.

📋 TL;DR

The Custom Field Suite WordPress plugin contains a SQL injection vulnerability in the 'Term' custom field. Authenticated attackers with contributor-level access or higher can exploit this to extract sensitive database information. All WordPress sites using this plugin up to version 2.6.7 are affected.

💻 Affected Systems

Products:

Custom Field Suite WordPress Plugin

Versions: All versions up to and including 2.6.7

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Custom Field Suite plugin enabled and at least one contributor-level user account.

📦 What is this software?

Custom Field Suite by Custom Field Suite Project

View all CVEs affecting Custom Field Suite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including user credentials, sensitive content, and potential privilege escalation leading to full site takeover.

🟠

Likely Case

Extraction of sensitive data including user information, private content, and configuration details from the WordPress database.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, restricting data extraction to non-sensitive tables.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but uses simple SQL injection techniques. Public proof-of-concept code is available in vulnerability references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.8 or later

Vendor Advisory: https://en-gb.wordpress.org/plugins/custom-field-suite/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Custom Field Suite and click 'Update Now'. 4. Verify plugin version is 2.6.8 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Custom Field Suite plugin until patched

wp plugin deactivate custom-field-suite

Restrict User Roles

linux

Remove contributor-level access from untrusted users

wp user list --role=contributor --field=ID | xargs wp user set-role subscriber

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict database user permissions to SELECT only for the WordPress database user

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Custom Field Suite → Version. If version is 2.6.7 or lower, you are vulnerable.

Check Version:

wp plugin get custom-field-suite --field=version

Verify Fix Applied:

After updating, verify version shows 2.6.8 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in WordPress debug logs
Multiple failed login attempts followed by successful contributor login
Database queries with unusual UNION SELECT patterns

Network Indicators:

POST requests to wp-admin/admin-ajax.php with SQL injection payloads in parameters
Unusual database connection patterns from web server

SIEM Query:

source="wordpress.log" AND ("UNION SELECT" OR "information_schema" OR "sleep(") AND "custom-field-suite"

📊 Metadata

CVE ID: CVE-2024-3561

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 20, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3561, you might also want to check these: