Login Sign Up

CVE-2024-6500

10.0 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress sites using vulnerable InPost plugins. On Windows servers, attackers can access any file on the system, while on Linux they're limited to files within the WordPress installation. All sites using affected plugin versions are at risk.

💻 Affected Systems

Products:
  • InPost for WooCommerce WordPress plugin
  • InPost PL WordPress plugin
Versions: InPost for WooCommerce: up to and including 1.4.0; InPost PL: up to and including 1.4.4
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Windows servers allow arbitrary file system access, while Linux limits file deletion to WordPress directory but allows reading any file.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise on Windows systems via arbitrary file deletion/reading, potentially leading to data destruction, credential theft, and full system takeover.

🟠

Likely Case

Unauthorized access to sensitive WordPress files (config, databases), deletion of critical site files causing service disruption, and potential privilege escalation.

🟢

If Mitigated

Limited impact if proper file permissions restrict access, but still exposes WordPress configuration and data.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation means any internet-facing WordPress site with vulnerable plugins is immediately vulnerable.
🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but attack surface is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Missing capability check in parse_request function makes exploitation straightforward for unauthenticated attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: InPost for WooCommerce: >1.4.0; InPost PL: >1.4.4

Vendor Advisory: https://plugins.trac.wordpress.org/browser/inpost-for-woocommerce/trunk

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Update InPost for WooCommerce to version >1.4.0 or InPost PL to >1.4.4. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Disable vulnerable plugins

all

Temporarily disable InPost plugins until patched

wp plugin deactivate inpost-for-woocommerce
wp plugin deactivate inpost-pl

Restrict file permissions

linux

Set strict file permissions on WordPress directories

chmod 644 wp-config.php
chmod 755 wp-content
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;

🧯 If You Can't Patch

  • Immediately disable both InPost plugins via WordPress admin or command line
  • Implement web application firewall rules to block requests to vulnerable plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin plugins page for InPost plugin versions: InPost for WooCommerce ≤1.4.0 or InPost PL ≤1.4.4

Check Version:

wp plugin list --name=inpost --field=version

Verify Fix Applied:

Confirm plugin versions show >1.4.0 for InPost for WooCommerce or >1.4.4 for InPost PL

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns in WordPress logs
  • HTTP requests to InPost plugin endpoints from unauthenticated users
  • File deletion events in system logs

Network Indicators:

  • HTTP requests containing 'parse_request' or InPost-specific parameters
  • Unusual outbound traffic following file access attempts

SIEM Query:

source="wordpress.log" AND ("inpost" OR "easypack") AND ("parse_request" OR "file" OR "delete")

📊 Metadata

CVE ID: CVE-2024-6500
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
CWE: CWE-862
Published: August 17, 2024
Last Updated: August 19, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6500, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-52416 10.0

This critical vulnerability in the WordPress Debug Tool plugin allows attackers to upload malicious ...

Same vulnerability type (CWE-862)