CVE-2024-3591
📋 TL;DR
This vulnerability in the Geo Controller WordPress plugin allows unauthenticated attackers to perform PHP Object Injection by sending specially crafted requests to AJAX actions and REST API routes. This could lead to remote code execution if a suitable gadget chain exists in the WordPress installation. All WordPress sites using vulnerable versions of the Geo Controller plugin are affected.
💻 Affected Systems
- Geo Controller WordPress Plugin
📦 What is this software?
Geo Controller by Infinitumform
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, malware installation, or site defacement.
Likely Case
Arbitrary file read/write, privilege escalation, or denial of service depending on available gadget chains.
If Mitigated
Limited impact if no suitable gadget chains exist, but still presents a security risk.
🎯 Exploit Status
Exploitation requires a suitable gadget chain in the WordPress installation. Proof of concept code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.6.5
Vendor Advisory: https://wpscan.com/vulnerability/f85d8b61-eaeb-433c-b857-06ee4db5c7d5/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Geo Controller plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 8.6.5+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable endpoints
linuxRestrict access to AJAX and REST API endpoints used by Geo Controller plugin
Add to .htaccess: RewriteRule ^wp-admin/admin-ajax\.php.* - [F]
Add to .htaccess: RewriteRule ^wp-json/geo-controller.* - [F]
Disable plugin
allTemporarily disable Geo Controller plugin until patched
wp plugin deactivate geo-controller
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block serialized object payloads
- Restrict network access to WordPress admin and API endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Geo Controller version. If version is below 8.6.5, you are vulnerable.Check Version:
wp plugin list --name=geo-controller --field=versionVerify Fix Applied:
Confirm Geo Controller plugin version is 8.6.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with serialized data
- Requests to /wp-json/geo-controller/* endpoints with PHP serialized objects
- Increased error logs mentioning unserialize() or Geo Controller
Network Indicators:
- HTTP POST requests containing serialized PHP objects (O: or a: patterns)
- Requests to Geo Controller REST API endpoints from unexpected sources
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "/wp-json/geo-controller/") AND http_method="POST" AND (request_body CONTAINS "O:" OR request_body CONTAINS "a:")