CVE-2024-43298 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-43298?

CVE-2024-43298 has a CVSS score of 4.3 (MEDIUM). This CVE describes a Missing Authorization vulnerability in the WordPress Clone plugin (Migrate Clone) that allows attackers to exploit incorrectly configured access control security levels. It affects all versions up to 2.4.5, potentially allowing unauthorized users to access functionality intended only for administrators. WordPress sites using this vulnerable plugin are affected.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the WordPress Clone plugin (Migrate Clone) that allows attackers to exploit incorrectly configured access control security levels. It affects all versions up to 2.4.5, potentially allowing unauthorized users to access functionality intended only for administrators. WordPress sites using this vulnerable plugin are affected.

💻 Affected Systems

Products:

WordPress Clone by WP Academy (Migrate Clone plugin)

Versions: n/a through 2.4.5

Operating Systems: All (WordPress plugin)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the vulnerable plugin enabled. No specific OS requirements.

📦 What is this software?

Clone by Backupbliss

View all CVEs affecting Clone →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain administrative access to the WordPress site, modify content, install malicious plugins/themes, or take full control of the website.

🟠

Likely Case

Unauthorized users accessing clone/backup functionality, potentially exposing sensitive site data or configuration information.

🟢

If Mitigated

With proper access controls and authentication requirements, the vulnerability would be prevented from being exploited.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authorization vulnerabilities typically require minimal technical skill to exploit once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.6 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/wp-clone-by-wp-academy/wordpress-clone-plugin-2-4-5-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Clone' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Clone plugin until patched

wp plugin deactivate wp-clone-by-wp-academy

Restrict plugin access via .htaccess

linux

Add access restrictions to plugin directory

# Add to .htaccess in wp-content/plugins/wp-clone-by-wp-academy/
Order deny,allow
Deny from all

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the WordPress admin interface
Enable WordPress security plugins that monitor for unauthorized access attempts and implement additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Clone' version. If version is 2.4.5 or earlier, you are vulnerable.

Check Version:

wp plugin get wp-clone-by-wp-academy --field=version

Verify Fix Applied:

Verify plugin version is 2.4.6 or later in WordPress admin panel. Test clone functionality with non-admin user to confirm access is properly restricted.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to clone/backup endpoints
Non-admin users accessing /wp-admin/admin-ajax.php with clone-related actions
Failed authentication attempts followed by successful clone operations

Network Indicators:

HTTP requests to clone endpoints from unauthorized IPs
Unusual traffic patterns to /wp-content/plugins/wp-clone-by-wp-academy/

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND action="clone" OR uri_path CONTAINS "/wp-content/plugins/wp-clone-by-wp-academy/") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-43298

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: November 1, 2024

Last Updated: November 13, 2024

🔗 References

https://patchstack.com/database/vulnerability/wp-clone-by-wp-academy/wordpress-clone-plugin-2-4-5-broken-access-control-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43298, you might also want to check these: