CVE-2024-4442
📋 TL;DR
This vulnerability allows unauthenticated attackers to delete arbitrary files on WordPress sites using the Salon booking system plugin. Attackers can delete critical files like wp-config.php, potentially leading to site takeover and remote code execution. All WordPress sites with this plugin installed are affected.
💻 Affected Systems
- Salon booking system WordPress plugin
📦 What is this software?
Salon Booking System by Salonbookingsystem
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise via wp-config.php deletion allowing database access, followed by remote code execution and full server control.
Likely Case
Site defacement, data loss from deleted files, and potential privilege escalation leading to administrative access.
If Mitigated
Limited impact if file permissions restrict deletion or if the plugin is disabled, though the vulnerability remains present.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it requires no authentication and minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 9.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3088196/salon-booking-system
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Salon booking system' and click 'Update Now'. 4. Verify the plugin version is 9.9 or higher.
🔧 Temporary Workarounds
Disable the plugin
allTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate salon-booking-system
Restrict file deletion permissions
linuxSet strict file permissions on critical WordPress files to prevent deletion.
chmod 444 wp-config.php
chmod 444 wp-content/plugins/salon-booking-system/*
🧯 If You Can't Patch
- Implement a web application firewall (WAF) to block malicious requests targeting the vulnerable endpoint.
- Monitor file deletion logs and set up alerts for unauthorized file removal attempts.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins. If version is 9.8 or lower, the site is vulnerable.Check Version:
wp plugin get salon-booking-system --field=versionVerify Fix Applied:
After updating, confirm the plugin version is 9.9 or higher in the WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=sln_remove_uploaded_file containing suspicious file paths
- File deletion events in system logs for wp-config.php or other critical files
Network Indicators:
- Unusual spikes in POST requests to admin-ajax.php endpoint
- Traffic patterns matching exploit attempts for CVE-2024-4442
SIEM Query:
source="web_server_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND (action="sln_remove_uploaded_file" OR params CONTAINS "sln_remove_uploaded_file")🔗 References
- https://plugins.trac.wordpress.org/browser/salon-booking-system/tags/9.8/src/SLN/Action/Ajax/RemoveUploadedFile.php#L5
- https://plugins.trac.wordpress.org/changeset/3088196/salon-booking-system#file14
- https://www.wordfence.com/threat-intel/vulnerabilities/id/eaafeadd-f44c-49b1-b900-ef40800c629e?source=cve
- https://plugins.trac.wordpress.org/browser/salon-booking-system/tags/9.8/src/SLN/Action/Ajax/RemoveUploadedFile.php#L5
- https://plugins.trac.wordpress.org/changeset/3088196/salon-booking-system#file14
- https://www.wordfence.com/threat-intel/vulnerabilities/id/eaafeadd-f44c-49b1-b900-ef40800c629e?source=cve
