CVE-2024-8243 – This vulnerability in the WordPress Upgrade Tim... (How to Fix)

Q: What is the severity of CVE-2024-8243?

CVE-2024-8243 has a CVSS score of 6.3 (MEDIUM). This vulnerability in the WordPress Upgrade Time Out Plugin allows attackers to perform Cross-Site Request Forgery (CSRF) attacks that inject stored XSS payloads. Attackers can trick logged-in administrators into executing malicious actions without their knowledge. WordPress sites using this plugin through version 1.0 are affected.

📋 TL;DR

This vulnerability in the WordPress Upgrade Time Out Plugin allows attackers to perform Cross-Site Request Forgery (CSRF) attacks that inject stored XSS payloads. Attackers can trick logged-in administrators into executing malicious actions without their knowledge. WordPress sites using this plugin through version 1.0 are affected.

💻 Affected Systems

Products:

WordPress Upgrade Time Out Plugin

Versions: through 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin active. Attack requires admin to be logged in and tricked into visiting malicious page.

📦 What is this software?

Wordpress\/plugin Upgrade Time Out Plugin by Felixker

View all CVEs affecting Wordpress\/plugin Upgrade Time Out Plugin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise through admin account takeover, data theft, defacement, or malware distribution to visitors.

🟠

Likely Case

Site defacement, credential theft from visitors, or injection of malicious scripts that steal session cookies.

🟢

If Mitigated

Limited impact with proper CSRF protections and content security policies in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick admin, but technical complexity is low once admin visits malicious page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://wpscan.com/vulnerability/8e1e2d8d-41aa-49bc-95d5-dae75be788d5/

Restart Required: No

Instructions:

1. Deactivate and delete the Upgrade Time Out Plugin. 2. Check for any injected malicious scripts in database. 3. Consider alternative plugins for similar functionality.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Deactivate and remove the vulnerable plugin from WordPress

wp plugin deactivate upgrade-time-out
wp plugin delete upgrade-time-out

Implement CSRF protection headers

all

Add Content Security Policy and anti-CSRF tokens

Add to .htaccess: Header set X-Frame-Options "DENY"
Header set Content-Security-Policy "default-src 'self'"

🧯 If You Can't Patch

Restrict admin access to trusted networks only
Implement web application firewall with XSS and CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'Upgrade Time Out' version 1.0 or earlier

Check Version:

wp plugin list --name=upgrade-time-out --field=version

Verify Fix Applied:

Confirm plugin is deactivated and removed from plugins directory

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-admin/admin-ajax.php
Admin users executing unexpected plugin actions
Script tags with suspicious content in database

Network Indicators:

Requests with suspicious parameters to plugin endpoints
Cross-origin requests to admin functions

SIEM Query:

source="wordpress.log" AND ("upgrade-time-out" OR "admin-ajax.php") AND status=200 AND method=POST

📊 Metadata

CVE ID: CVE-2024-8243

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-352

EPSS Score: 0.08% exploit probability (22.8th percentile)

Published: April 9, 2025

Last Updated: April 22, 2025

🔗 References

https://wpscan.com/vulnerability/8e1e2d8d-41aa-49bc-95d5-dae75be788d5/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8243, you might also want to check these: