CVE-2024-7424 – The Multiple Page Generator (MPG) WordPress plu... (How to Fix)

Q: What is the severity of CVE-2024-7424?

CVE-2024-7424 has a CVSS score of 5.4 (MEDIUM). The Multiple Page Generator (MPG) WordPress plugin up to version 4.0.1 lacks proper authorization checks on several administrative functions. This allows authenticated attackers with Subscriber-level access or higher to upload CSV files and view MPG project contents, which should be restricted to administrators only.

📋 TL;DR

The Multiple Page Generator (MPG) WordPress plugin up to version 4.0.1 lacks proper authorization checks on several administrative functions. This allows authenticated attackers with Subscriber-level access or higher to upload CSV files and view MPG project contents, which should be restricted to administrators only.

💻 Affected Systems

Products:

Multiple Page Generator Plugin – MPG for WordPress

Versions: All versions up to and including 4.0.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with MPG plugin enabled and at least one Subscriber-level user account.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Subscriber-level users could upload malicious CSV files containing malware or backdoors, potentially compromising the entire WordPress site and server.

🟠

Likely Case

Subscribers can view sensitive MPG project data and upload unauthorized CSV files, potentially exposing confidential information or enabling data manipulation.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized data viewing by low-privileged users.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but only at Subscriber level, which is the lowest WordPress user role. The vulnerability is in specific PHP functions that lack capability checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.2 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3178830%40multiple-pages-generator-by-porthas%2Ftrunk&old=3174918%40multiple-pages-generator-by-porthas%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Multiple Page Generator Plugin – MPG'. 4. Click 'Update Now' if available, or download version 4.0.2+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable MPG Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate multiple-pages-generator-by-porthas

Restrict Subscriber Capabilities

all

Use WordPress role management plugins to remove file upload capabilities from Subscriber role.

🧯 If You Can't Patch

Remove Subscriber-level user accounts or restrict their creation.
Implement web application firewall rules to block requests to MPG plugin endpoints from non-admin users.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for MPG plugin version. If version is 4.0.1 or lower, you are vulnerable.

Check Version:

wp plugin get multiple-pages-generator-by-porthas --field=version

Verify Fix Applied:

After updating, verify MPG plugin version shows 4.0.2 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /wp-admin/admin-ajax.php with action parameters related to MPG functions from Subscriber-level users.
CSV file uploads via MPG plugin from non-admin users.

Network Indicators:

HTTP requests to MPG-specific endpoints (e.g., containing 'mpg' or 'dataset' in URL) from low-privilege user IPs.

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php") AND (user_role="subscriber") AND (action="*mpg*" OR action="*dataset*")

📊 Metadata

CVE ID: CVE-2024-7424

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-284

Published: November 1, 2024

Last Updated: November 1, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7424, you might also want to check these: