CVE-2024-35746
📋 TL;DR
This vulnerability allows attackers to upload malicious files to WordPress sites using the BuddyPress Cover plugin, potentially leading to remote code execution. It affects all WordPress installations with BuddyPress Cover plugin versions up to 2.1.4.2. Attackers can exploit this to take full control of affected websites.
💻 Affected Systems
- WordPress BuddyPress Cover plugin
📦 What is this software?
Buddypress Cover by Buddypress Cover Project
⚠️ Risk & Real-World Impact
Worst Case
Complete website compromise leading to data theft, defacement, malware distribution, and server takeover.
Likely Case
Website defacement, backdoor installation, and unauthorized access to sensitive data.
If Mitigated
Limited impact if file uploads are restricted via web application firewall or server configuration.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.4.3 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/bp-cover/wordpress-buddypress-cover-plugin-2-1-4-2-arbitrary-file-upload-vulnerability
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find BuddyPress Cover plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable BuddyPress Cover plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate bp-cover
Restrict file uploads via .htaccess
linuxBlock upload of executable file types to plugin directory.
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|php8|inc|pl|py|jsp|asp|sh|cgi)">\n Order Allow,Deny\n Deny from all\n</FilesMatch>
🧯 If You Can't Patch
- Implement web application firewall rules to block malicious file uploads
- Restrict file permissions on upload directories to prevent execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > BuddyPress Cover for version number. If version is 2.1.4.2 or lower, you are vulnerable.Check Version:
wp plugin get bp-cover --field=versionVerify Fix Applied:
Verify plugin version is 2.1.4.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/bp-cover/
- POST requests to cover image upload endpoints with suspicious file extensions
Network Indicators:
- HTTP POST requests with file uploads containing PHP/executable content
- Unusual outbound connections from web server after file upload
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/bp-cover/*" OR uri_path="/wp-admin/admin-ajax.php") AND method="POST" AND (file_extension="php" OR file_extension="phtml" OR file_extension="phar")