CVE-2024-49611
📋 TL;DR
This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress websites running the vulnerable Product Website Showcase plugin. Any WordPress site using version 1.0 or earlier of this plugin is affected, potentially giving attackers full control over the web server.
💻 Affected Systems
- WordPress Product Website Showcase Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, or use as a foothold for lateral movement within the network.
Likely Case
Web shell installation allowing remote code execution, website defacement, and backdoor persistence on the affected WordPress site.
If Mitigated
File uploads blocked or properly validated, limiting impact to denial of service if upload attempts occur.
🎯 Exploit Status
Exploitation requires no authentication and uses simple HTTP POST requests with malicious file uploads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.1 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Product Website Showcase' and update to latest version. 4. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable Plugin
allDeactivate and remove the vulnerable plugin from WordPress
wp plugin deactivate product-websites-showcase
wp plugin delete product-websites-showcase
Web Server File Upload Restriction
allConfigure web server to block file uploads to the plugin's upload directory
# Apache: Add to .htaccess in uploads directory:
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|php8|php9|phar|inc|pl|py|jsp|asp|aspx|sh|cgi|exe|bat|cmd|ps1|psm1|vbs|vbe|js|jse|wsf|wsh|msc|jar|war|ear|rb|sh|bash|zsh|ksh|csh|tcsh|fish|dmg|app|scr|pif|com|scr|hta|cpl|msi|msp|mst|reg|inf|ini|lnk|url|scf|sct|shb|shs|vb|vbe|vbs|wsc|wsf|wsh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx: Add to server block:
location ~* ^/wp-content/uploads/product-websites-showcase/.*\.(php|phtml|php3|php4|php5|php7|phps|php8|php9|phar|inc|pl|py|jsp|asp|aspx|sh|cgi|exe|bat|cmd|ps1|psm1|vbs|vbe|js|jse|wsf|wsh|msc|jar|war|ear|rb|sh|bash|zsh|ksh|csh|tcsh|fish|dmg|app|scr|pif|com|scr|hta|cpl|msi|msp|mst|reg|inf|ini|lnk|url|scf|sct|shb|shs|vb|vbe|vbs|wsc|wsf|wsh)$ {
deny all;
}
🧯 If You Can't Patch
- Immediately deactivate and remove the Product Website Showcase plugin from all WordPress installations.
- Implement web application firewall (WAF) rules to block file uploads containing executable content to the plugin's upload endpoints.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Product Website Showcase' version 1.0 or earlier.Check Version:
wp plugin get product-websites-showcase --field=versionVerify Fix Applied:
Verify plugin version is 1.0.1 or later, or confirm plugin is completely removed from the WordPress installation.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/plugins/product-websites-showcase/upload endpoints
- File uploads with .php, .phtml, or other executable extensions to plugin directories
- Unusual file creation in wp-content/uploads/product-websites-showcase/
Network Indicators:
- POST requests to upload endpoints with executable file content
- Unusual outbound connections from web server after file uploads
SIEM Query:
source="web_server_logs" AND (uri_path="/wp-content/plugins/product-websites-showcase/" OR uri_path CONTAINS "product-websites-showcase/upload") AND http_method="POST" AND (file_extension="php" OR file_extension="phtml" OR file_extension="phar" OR file_extension="jsp" OR file_extension="asp")