CVE-2024-6799
📋 TL;DR
The YITH Essential Kit for WooCommerce #1 WordPress plugin has a missing capability check vulnerability that allows authenticated users with Subscriber-level access or higher to install, activate, and deactivate YITH plugins from a predefined list. This affects all versions up to and including 2.34.0, potentially enabling privilege escalation and unauthorized plugin management.
💻 Affected Systems
- YITH Essential Kit for WooCommerce #1 WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could install malicious plugins, gain administrative access, execute arbitrary code, or compromise the entire WordPress site and underlying server.
Likely Case
Attackers install legitimate but unwanted YITH plugins, modify site functionality, or use installed plugins as stepping stones for further attacks.
If Mitigated
With proper access controls and monitoring, impact is limited to plugin management disruption without full system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via crafted HTTP requests to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.35.0 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3120283/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'YITH Essential Kit for WooCommerce #1'. 4. Click 'Update Now' if available, or manually update to version 2.35.0+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Restrict User Registration
allDisable new user registration to prevent attackers from obtaining Subscriber accounts.
In WordPress admin: Settings > General > Membership: Uncheck 'Anyone can register'
Remove Vulnerable Plugin
allTemporarily deactivate and delete the vulnerable plugin until patched.
In WordPress admin: Plugins > Installed Plugins > Deactivate 'YITH Essential Kit for WooCommerce #1' > Delete
🧯 If You Can't Patch
- Implement strict network access controls to limit WordPress admin access to trusted IPs only.
- Monitor and audit plugin installation/activation logs for suspicious activity by low-privilege users.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin: Plugins > Installed Plugins. If version is 2.34.0 or lower, system is vulnerable.Check Version:
In WordPress database: SELECT option_value FROM wp_options WHERE option_name = 'yith_jetpack_version';Verify Fix Applied:
Confirm plugin version is 2.35.0 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action parameters: activate_module, deactivate_module, install_module from low-privilege user accounts
- Unexpected plugin installations or activations in WordPress logs
Network Indicators:
- Unusual outbound connections from WordPress server after plugin installation
SIEM Query:
source="wordpress.log" AND ("activate_module" OR "deactivate_module" OR "install_module") AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/browser/yith-essential-kit-for-woocommerce-1/trunk/class-yith-jetpack.php#L425
- https://plugins.trac.wordpress.org/browser/yith-essential-kit-for-woocommerce-1/trunk/class-yith-jetpack.php#L457
- https://plugins.trac.wordpress.org/browser/yith-essential-kit-for-woocommerce-1/trunk/class-yith-jetpack.php#L487
- https://plugins.trac.wordpress.org/changeset/3120283/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ca497ffa-6306-46dc-895f-94f1d5236e28?source=cve
- https://plugins.trac.wordpress.org/browser/yith-essential-kit-for-woocommerce-1/trunk/class-yith-jetpack.php#L425
- https://plugins.trac.wordpress.org/browser/yith-essential-kit-for-woocommerce-1/trunk/class-yith-jetpack.php#L457
- https://plugins.trac.wordpress.org/browser/yith-essential-kit-for-woocommerce-1/trunk/class-yith-jetpack.php#L487
- https://plugins.trac.wordpress.org/changeset/3120283/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ca497ffa-6306-46dc-895f-94f1d5236e28?source=cve
