CVE-2024-3895
📋 TL;DR
The WP Datepicker WordPress plugin has an authorization vulnerability that allows authenticated users with subscriber-level access or higher to modify arbitrary WordPress options. This can lead to privilege escalation attacks where attackers gain administrative control. All WordPress sites using WP Datepicker versions up to 2.1.0 are affected.
💻 Affected Systems
- WP Datepicker WordPress Plugin
📦 What is this software?
Wp Datepicker by Androidbubbles
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control of the WordPress site, allowing them to install backdoors, steal data, deface the site, or use the server for malicious activities.
Likely Case
Attackers escalate privileges to administrator level and modify site settings, inject malicious code, or create new admin accounts for persistence.
If Mitigated
With proper access controls and monitoring, unauthorized changes are detected and reverted before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access (subscriber role or higher). The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3073525/wp-datepicker/trunk/inc/functions_inner.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Datepicker and click 'Update Now' if available. 4. If automatic update fails, download version 2.1.1 from WordPress.org and manually replace plugin files.
🔧 Temporary Workarounds
Disable WP Datepicker Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate wp-datepicker
Restrict User Registration
allDisable new user registration to prevent attackers from obtaining subscriber accounts
Update WordPress Settings → General → Membership to uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict access controls and monitor user activity logs for unauthorized option changes
- Use web application firewall rules to block requests to vulnerable AJAX endpoints
🔍 How to Verify
Check if Vulnerable:
Check WP Datepicker plugin version in WordPress admin under Plugins → Installed PluginsCheck Version:
wp plugin get wp-datepicker --field=versionVerify Fix Applied:
Confirm WP Datepicker version is 2.1.1 or higher after update📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=wpdp_add_new_datepicker
- Unexpected changes to WordPress options table
- User role escalation events
Network Indicators:
- HTTP requests to admin-ajax.php with wpdp_add_new_datepicker parameter from non-admin users
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "wpdp_add_new_datepicker"🔗 References
- https://plugins.trac.wordpress.org/changeset/3073525/wp-datepicker/trunk/inc/functions_inner.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071975%40wp-datepicker&new=3071975%40wp-datepicker&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3073221%40wp-datepicker&new=3073221%40wp-datepicker&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/45a42f20-a4d7-4c8e-a144-505a6723a2a0?source=cve
- https://plugins.trac.wordpress.org/changeset/3073525/wp-datepicker/trunk/inc/functions_inner.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071975%40wp-datepicker&new=3071975%40wp-datepicker&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3073221%40wp-datepicker&new=3073221%40wp-datepicker&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/45a42f20-a4d7-4c8e-a144-505a6723a2a0?source=cve
