CVE-2024-7380
📋 TL;DR
The Geo Controller WordPress plugin has insufficient access controls that allow authenticated users with Subscriber-level permissions or higher to create or delete WordPress menus. This affects all WordPress sites using the plugin up to version 8.6.9. Attackers can modify site navigation without proper authorization.
💻 Affected Systems
- Geo Controller WordPress Plugin
📦 What is this software?
Geo Controller by Infinitumform
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete critical navigation menus, create malicious redirect menus, or deface website navigation, potentially disrupting user experience and site functionality.
Likely Case
Low-privileged users could modify menu structures, potentially creating confusion or redirecting users to malicious pages.
If Mitigated
With proper user access controls and monitoring, impact is limited to minor menu modifications that can be quickly reverted.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via AJAX endpoints. The vulnerability is publicly documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.7.0 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3168288%40cf-geoplugin%2Ftrunk&old=3168287%40cf-geoplugin%2Ftrunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Geo Controller' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 8.7.0+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allRemove or restrict access to the vulnerable ajax__geolocate_menu and ajax__geolocate_remove_menu functions
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_geolocate_menu', 'ajax__geolocate_menu'); remove_action('wp_ajax_geolocate_remove_menu', 'ajax__geolocate_remove_menu');
Temporary plugin deactivation
linuxDisable the Geo Controller plugin until patched
wp plugin deactivate cf-geoplugin
🧯 If You Can't Patch
- Restrict user roles: Limit Subscriber and other low-privilege accounts or implement additional access controls.
- Implement web application firewall rules to block suspicious menu modification requests.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Geo Controller version 8.6.9 or earlier.Check Version:
wp plugin list --name=cf-geoplugin --field=versionVerify Fix Applied:
Confirm plugin version is 8.7.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual menu creation/deletion events by non-admin users
- AJAX requests to /wp-admin/admin-ajax.php with action=geolocate_menu or action=geolocate_remove_menu
Network Indicators:
- POST requests to admin-ajax.php with menu modification parameters from non-admin users
SIEM Query:
source="wordpress.log" AND ("geolocate_menu" OR "geolocate_remove_menu") AND user_role!="administrator"