CVE-2024-5167
📋 TL;DR
This vulnerability in the CM Email Registration Blacklist and Whitelist WordPress plugin allows attackers to trick logged-in administrators into adding or removing email addresses from blacklists/whitelists via Cross-Site Request Forgery (CSRF) attacks. Attackers can manipulate email filtering rules without the admin's knowledge. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- CM Email Registration Blacklist and Whitelist WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could add legitimate email domains to blacklists, preventing user registrations, or whitelist malicious domains to bypass security controls, potentially enabling account takeover or spam campaigns.
Likely Case
Attackers modify blacklist/whitelist entries to disrupt legitimate user registrations or allow malicious registrations, causing service disruption or security bypass.
If Mitigated
With proper CSRF protections and admin awareness, impact is limited to unsuccessful attack attempts with no data compromise.
🎯 Exploit Status
Exploitation requires tricking a logged-in admin to click a malicious link or visit a compromised page. No authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.9
Vendor Advisory: https://wpscan.com/vulnerability/67bb5ab8-4493-4f5b-a989-41576675b61a/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'CM Email Registration Blacklist and Whitelist'. 4. Click 'Update Now' if available, or manually update to version 1.4.9. 5. Verify plugin version shows 1.4.9.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched, but this will disable email filtering functionality.
wp plugin deactivate cm-email-registration-blacklist-whitelist
🧯 If You Can't Patch
- Restrict admin access to trusted networks only to reduce exposure to CSRF attacks.
- Implement additional web application firewall (WAF) rules to detect and block CSRF attempts targeting plugin endpoints.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins, find 'CM Email Registration Blacklist and Whitelist' and verify version is below 1.4.9.Check Version:
wp plugin list --name='CM Email Registration Blacklist and Whitelist' --field=versionVerify Fix Applied:
Confirm plugin version is 1.4.9 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin.php?page=cm-email-blacklist or similar plugin admin endpoints from unexpected sources.
- Multiple failed or unexpected modifications to email blacklist/whitelist settings in short timeframes.
Network Indicators:
- CSRF attack patterns with forged requests to plugin admin endpoints without proper referrer/CSRF tokens.
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin.php" AND query_string="*cm-email*" AND http_method="POST")