CVE-2024-7384 – The AcyMailing WordPress plugin has a vulnerabi... (How to Fix)

📋 TL;DR

The AcyMailing WordPress plugin has a vulnerability that allows authenticated users with Subscriber-level access or higher to upload arbitrary files due to missing file type validation. This can lead to remote code execution on affected WordPress sites. All WordPress sites using AcyMailing versions up to 9.7.2 are vulnerable.

💻 Affected Systems

Products:

AcyMailing WordPress Plugin

Versions: All versions up to and including 9.7.2

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with at least Subscriber role. WordPress multisite installations are also affected.

📦 What is this software?

Acymailing by Acymailing

View all CVEs affecting Acymailing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full server control through remote code execution, leading to data theft, site defacement, malware distribution, or complete system compromise.

🟠

Likely Case

Attackers upload web shells or malicious scripts to execute arbitrary commands, potentially gaining administrative access to the WordPress site and server.

🟢

If Mitigated

With proper file upload restrictions and web application firewalls, attackers may only be able to upload benign files without achieving code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is in a core file extraction function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.7.3 and later

Vendor Advisory: https://www.acymailing.com/changelog/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Go to Plugins → Installed Plugins
3. Find AcyMailing plugin
4. Click 'Update Now' if available
5. Alternatively, download version 9.7.3+ from WordPress.org and manually update

🔧 Temporary Workarounds

Restrict File Uploads via .htaccess

linux

Block execution of uploaded files in upload directories

Add to .htaccess in wp-content/uploads/acymailing/: <FilesMatch "\.(php|php5|php7|phtml|phar)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Disable AcyMailing Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate acymailing

🧯 If You Can't Patch

Remove Subscriber and higher role access from untrusted users
Implement web application firewall rules to block suspicious file upload patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → AcyMailing version. If version is 9.7.2 or lower, you are vulnerable.

Check Version:

wp plugin get acymailing --field=version

Verify Fix Applied:

Confirm AcyMailing version is 9.7.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /wp-content/uploads/acymailing/
POST requests to acym_extractArchive function
Multiple failed upload attempts from single user

Network Indicators:

HTTP POST requests with file uploads to AcyMailing endpoints
Unusual outbound connections from WordPress server after file uploads

SIEM Query:

source="wordpress.log" AND ("acymailing" AND "upload") OR ("acym_extractArchive")

📊 Metadata

CVE ID: CVE-2024-7384

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: August 22, 2024

Last Updated: September 27, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7384, you might also want to check these: