CVE-2024-8292
📋 TL;DR
The WP-Recall plugin for WordPress has a critical vulnerability that allows unauthenticated attackers to reset any user's password by supplying their email address during new order creation. This leads to complete account takeover and privilege escalation. All WordPress sites using WP-Recall with the commerce addon enabled are affected.
💻 Affected Systems
- WP-Recall WordPress plugin
📦 What is this software?
Wp Recall by Plechevandrey
⚠️ Risk & Real-World Impact
Worst Case
Attackers can take over administrator accounts, gain full control of the WordPress site, install backdoors, steal sensitive data, and potentially compromise the entire server infrastructure.
Likely Case
Attackers will compromise user accounts to steal personal information, payment details, and use compromised accounts for spam, phishing, or further attacks within the WordPress ecosystem.
If Mitigated
With proper monitoring and immediate response, impact is limited to temporary service disruption and mandatory password resets for affected users.
🎯 Exploit Status
Exploitation is straightforward - attackers only need to send a crafted request to the order creation endpoint with a target email address. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.26.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3145798/wp-recall/trunk/add-on/commerce/classes/class-rcl-create-order.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find WP-Recall plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 16.26.9+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Commerce Addon
allTemporarily disable the commerce functionality to prevent exploitation while planning permanent fix
Navigate to WP-Recall settings and disable commerce module
Disable Plugin Entirely
allCompletely disable WP-Recall plugin until patched version is available
In WordPress admin: Plugins → Installed Plugins → Deactivate WP-Recall
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to order creation endpoints from unauthenticated users
- Enable detailed logging of all password reset and order creation activities and monitor for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check WP-Recall plugin version in WordPress admin panel under Plugins → Installed Plugins. If version is 16.26.8 or lower and commerce addon is enabled, the site is vulnerable.Check Version:
WordPress admin panel: Plugins → Installed Plugins → look for WP-Recall versionVerify Fix Applied:
After updating, verify plugin version shows 16.26.9 or higher. Test order creation functionality to ensure proper user authentication is enforced.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login from new IP
- Unusual order creation requests with email parameter manipulation
- Password reset requests for multiple users from same IP
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=rcl_create_order containing user_email parameter
- Requests to order creation endpoints from unauthenticated sources
SIEM Query:
source="wordpress.log" AND ("rcl_create_order" OR "user_email") AND status=200 AND user="-"🔗 References
- https://plugins.trac.wordpress.org/browser/wp-recall/tags/16.26.8/add-on/commerce/classes/class-rcl-create-order.php#L127
- https://plugins.trac.wordpress.org/browser/wp-recall/tags/16.26.8/add-on/commerce/functions-frontend.php#L113
- https://plugins.trac.wordpress.org/browser/wp-recall/tags/16.26.8/rcl-functions.php#L1339
- https://plugins.trac.wordpress.org/changeset/3145798/wp-recall/trunk/add-on/commerce/classes/class-rcl-create-order.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8fa4b5df-dc71-49de-880b-895eb1d9cdca?source=cve
