CVE-2024-6220
📋 TL;DR
The Keydatas WordPress plugin allows unauthenticated attackers to upload arbitrary files due to missing file type validation. This vulnerability affects all versions up to 2.5.2 and can lead to remote code execution on vulnerable WordPress sites.
💻 Affected Systems
- Keydatas WordPress plugin (简数采集器)
📦 What is this software?
Keydatas by Keydatas
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, allowing attackers to install malware, steal data, or use the server for further attacks.
Likely Case
Attackers upload web shells or malicious scripts to gain persistent access and control over the WordPress site.
If Mitigated
File uploads blocked or restricted, preventing malicious file execution while maintaining plugin functionality.
🎯 Exploit Status
Simple file upload vulnerability with public proof-of-concept available. Attackers can easily craft malicious requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/keydatas/trunk/keydatas.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Keydatas plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Disable plugin
allDeactivate the Keydatas plugin to prevent exploitation
wp plugin deactivate keydatas
Web server file upload restriction
linuxBlock file uploads to the vulnerable endpoint via web server configuration
# Apache: <LocationMatch "keydatas_downloadImages">
Deny from all
</LocationMatch>
# Nginx: location ~* keydatas_downloadImages { deny all; }
🧯 If You Can't Patch
- Immediately deactivate and remove the Keydatas plugin from all WordPress installations
- Implement web application firewall rules to block requests to the keydatas_downloadImages endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Keydatas version 2.5.2 or earlierCheck Version:
wp plugin list --name=keydatas --field=versionVerify Fix Applied:
Verify Keydatas plugin version is 2.5.3 or later, or confirm plugin is not installed📡 Detection & Monitoring
Log Indicators:
- POST requests to */wp-content/plugins/keydatas/keydatas.php with file upload parameters
- Unusual file creations in wp-content/uploads directory with PHP/executable extensions
Network Indicators:
- HTTP requests containing 'keydatas_downloadImages' parameter with file upload data
SIEM Query:
source="web_server_logs" AND (uri="*keydatas.php*" AND method="POST" AND (param="*keydatas_downloadImages*" OR body="*keydatas_downloadImages*"))🔗 References
- https://plugins.trac.wordpress.org/browser/keydatas/trunk/keydatas.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/49ae7971-7bdf-4369-b04b-fb48ea5b9518?source=cve
- https://plugins.trac.wordpress.org/browser/keydatas/trunk/keydatas.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/49ae7971-7bdf-4369-b04b-fb48ea5b9518?source=cve
