CVE-2024-3607
📋 TL;DR
The PropertyHive WordPress plugin has a missing capability check in the delete_key_date() function, allowing authenticated users with subscriber-level access or higher to delete arbitrary posts. This affects all versions up to and including 2.0.12. Any WordPress site using the vulnerable plugin is at risk of unauthorized data deletion.
💻 Affected Systems
- PropertyHive WordPress Plugin
📦 What is this software?
Propertyhive by Wp Property Hive
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could delete critical content, causing data loss, site disruption, and potential business impact.
Likely Case
Subscriber-level users exploiting the vulnerability to delete posts they shouldn't have access to, leading to content management issues.
If Mitigated
Minimal impact if proper user access controls and backups are in place, with only authorized deletions occurring.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.13 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find PropertyHive and update to version 2.0.13 or later. 4. Alternatively, download the latest version from WordPress plugin repository and replace the plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDeactivate the PropertyHive plugin until patched to prevent exploitation.
wp plugin deactivate propertyhive
Restrict User Registration
allTemporarily disable new user registration to limit potential attackers.
In WordPress Settings > General, uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict user access controls and monitor for suspicious deletion activity.
- Ensure regular backups are taken and tested to recover from potential data loss.
🔍 How to Verify
Check if Vulnerable:
Check the PropertyHive plugin version in WordPress admin under Plugins > Installed Plugins. If version is 2.0.12 or lower, it is vulnerable.Check Version:
wp plugin get propertyhive --field=versionVerify Fix Applied:
After updating, verify the plugin version is 2.0.13 or higher in the WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual post deletion events by non-admin users in WordPress logs
- Multiple DELETE requests to wp-admin/admin-ajax.php with action=delete_key_date
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with delete_key_date action from non-admin user accounts
SIEM Query:
source="wordpress.log" AND (action="delete_key_date" OR message="*deleted post*" AND user_role!="administrator")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3075163%40propertyhive&new=3075163%40propertyhive&sfp_email=&sfph_mail=#file11
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d52ced-807b-48c0-bb7a-e40d143ae5d3?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3075163%40propertyhive&new=3075163%40propertyhive&sfp_email=&sfph_mail=#file11
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d52ced-807b-48c0-bb7a-e40d143ae5d3?source=cve
