CVE-2024-7863
📋 TL;DR
The Favicon Generator WordPress plugin before version 2.1 contains two critical vulnerabilities: missing file upload validation and missing CSRF protection. This allows authenticated attackers to upload arbitrary files (including PHP shells) to the server, potentially leading to remote code execution. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Favicon Generator (CLOSED) WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to internal networks.
Likely Case
Website defacement, data theft, or installation of cryptocurrency miners or malware on vulnerable servers.
If Mitigated
No impact if plugin is updated or disabled, or if proper file upload restrictions and CSRF protections are implemented at the web server level.
🎯 Exploit Status
Exploitation requires admin access or successful CSRF attack against admin user. File upload bypass is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1
Vendor Advisory: https://wpscan.com/vulnerability/5e814b02-3870-4742-905d-ec03b0d31add/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Favicon Generator' plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 2.1+ and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allCompletely deactivate and remove the vulnerable plugin
wp plugin deactivate favicon-generator
wp plugin delete favicon-generator
Restrict File Uploads
linuxConfigure web server to block PHP file uploads in plugin directories
# Add to .htaccess in wp-content/uploads: <Files *.php> deny from all </Files>
🧯 If You Can't Patch
- Immediately disable the Favicon Generator plugin via WordPress admin or command line
- Implement strict file upload filtering at web server level to block PHP and executable files
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Favicon Generator' version. If version is below 2.1, system is vulnerable.Check Version:
wp plugin list --name=favicon-generator --field=versionVerify Fix Applied:
Confirm plugin version is 2.1 or higher in WordPress admin panel, or verify plugin is completely removed from wp-content/plugins directory.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads/ directory
- POST requests to /wp-admin/admin-ajax.php with 'action=favicon_generator_upload' parameter
- PHP file execution from unexpected locations
Network Indicators:
- HTTP POST requests with file uploads to WordPress admin endpoints from unauthorized sources
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="favicon_generator_upload")