CVE-2024-50526
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files, including web shells, to WordPress servers running the vulnerable Multi Purpose Mail Form plugin. Attackers can achieve remote code execution and full server compromise. All WordPress sites using versions 1.0.2 or earlier of this plugin are affected.
💻 Affected Systems
- WordPress Multi Purpose Mail Form plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining full administrative access, data exfiltration, ransomware deployment, and use as pivot point for lateral movement.
Likely Case
Web shell upload leading to website defacement, data theft, cryptocurrency mining, or participation in botnets.
If Mitigated
File upload attempts blocked at WAF level with no successful exploitation.
🎯 Exploit Status
Public exploit code exists and requires no authentication. Attack is trivial to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Multi Purpose Mail Form'. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable plugin via wp-cli
linuxDeactivate the vulnerable plugin using WordPress command-line interface
wp plugin deactivate multi-purpose-mail-form
Delete plugin files
linuxRemove plugin files from server filesystem
rm -rf /path/to/wordpress/wp-content/plugins/multi-purpose-mail-form/
🧯 If You Can't Patch
- Immediately deactivate and remove the Multi Purpose Mail Form plugin from all WordPress installations
- Implement WAF rules to block file uploads to the affected plugin endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Multi Purpose Mail Form' version 1.0.2 or earlierCheck Version:
wp plugin get multi-purpose-mail-form --field=versionVerify Fix Applied:
Verify plugin version is 1.0.3 or later, or confirm plugin is not installed📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-content/plugins/multi-purpose-mail-form/upload.php with file uploads
- Unauthorized file creation in upload directories
- Web shell file names like shell.php, cmd.php, backdoor.php
Network Indicators:
- Unusual outbound connections from web server
- POST requests with PHP file uploads to plugin endpoints
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/multi-purpose-mail-form/upload.php" OR file_name="*.php") AND http_method="POST"