CVE-2024-38749 – The Olive One Click Demo Import WordPress plugi... (How to Fix)

📋 TL;DR

The Olive One Click Demo Import WordPress plugin versions up to 1.1.2 contains an access control vulnerability that allows unauthorized users to access sensitive functionality. This exposes potentially sensitive information to attackers without proper authentication. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Olive One Click Demo Import WordPress Plugin

Versions: n/a through 1.1.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions installed and activated.

📦 What is this software?

Olive One Click Demo Import by Olivethemes

View all CVEs affecting Olive One Click Demo Import →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive site data, import malicious demo content, or modify site configuration without authorization.

🟠

Likely Case

Unauthorized users accessing demo import functionality and potentially exposing sensitive site information or configuration details.

🟢

If Mitigated

With proper access controls, only authorized administrators can access demo import functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CWE-200 indicates information exposure through improper access controls, suggesting relatively straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.3 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/olive-one-click-demo-import/wordpress-olive-one-click-demo-import-plugin-1-1-2-sensitive-data-exposure-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Olive One Click Demo Import'
4. Click 'Update Now' if update available
5. If no update available, deactivate and delete plugin
6. Install latest version from WordPress repository

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate olive-one-click-demo-import

Restrict Access via .htaccess

linux

Block access to plugin directories via web server configuration

# Add to .htaccess in WordPress root:
<FilesMatch "\.(php|inc)$">
Order Deny,Allow
Deny from all
</FilesMatch>
# In wp-content/plugins/olive-one-click-demo-import/ directory:
Deny from all

🧯 If You Can't Patch

Remove the plugin completely and use alternative demo import solutions
Implement web application firewall rules to block unauthorized access to plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Olive One Click Demo Import' version 1.1.2 or earlier

Check Version:

wp plugin get olive-one-click-demo-import --field=version

Verify Fix Applied:

Verify plugin version is 1.1.3 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /wp-content/plugins/olive-one-click-demo-import/
HTTP 200 responses to demo import endpoints from unauthenticated users

Network Indicators:

Unusual requests to plugin-specific endpoints from unauthorized IPs

SIEM Query:

source="wordpress.log" AND ("olive-one-click-demo-import" OR "demo-import") AND status=200 AND user="-"

📊 Metadata

CVE ID: CVE-2024-38749

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: August 13, 2024

Last Updated: May 27, 2025

🔗 References

https://patchstack.com/database/vulnerability/olive-one-click-demo-import/wordpress-olive-one-click-demo-import-plugin-1-1-2-sensitive-data-exposure-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38749, you might also want to check these: