CVE-2024-8795
📋 TL;DR
The BA Book Everything WordPress plugin has a CSRF vulnerability that allows unauthenticated attackers to trick administrators into clicking malicious links, which can reset user passwords and compromise accounts. All WordPress sites using this plugin up to version 1.6.20 are affected. This requires social engineering but no authentication to exploit.
💻 Affected Systems
- BA Book Everything WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to WordPress sites, leading to complete site takeover, data theft, malware injection, and further privilege escalation.
Likely Case
Attackers compromise user accounts (including administrators) by resetting passwords, leading to unauthorized access, data exposure, and potential site defacement.
If Mitigated
With proper CSRF protections and user awareness, exploitation attempts fail, maintaining normal site operations and security.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators into clicking malicious links, but the technical execution is simple once the victim interacts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.21 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'BA Book Everything' and check if update is available. 4. Click 'Update Now' to install version 1.6.21 or later. 5. Verify the plugin is active and functioning.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate ba-book-everything
Apply CSRF Protection Manually
allAdd nonce validation to the my_account_update() function in plugin files.
Edit includes/class-babe-my-account.php and includes/class-babe-users.php to add wp_verify_nonce() checks
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block CSRF attempts targeting the my_account_update endpoint.
- Educate administrators about phishing risks and implement strict click policies for suspicious links.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for BA Book Everything version. If version is 1.6.20 or lower, it is vulnerable.Check Version:
wp plugin get ba-book-everything --field=versionVerify Fix Applied:
After updating, verify the plugin version is 1.6.21 or later in the WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=my_account_update from unexpected IPs
- Multiple failed login attempts or password reset requests for user accounts
Network Indicators:
- HTTP requests containing 'my_account_update' without proper referrer or nonce headers
- Traffic patterns showing CSRF payloads in requests
SIEM Query:
source="wordpress.log" AND ("my_account_update" OR "admin-ajax.php") AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/ba-book-everything/tags/1.6.20/includes/class-babe-my-account.php#L562
- https://plugins.trac.wordpress.org/browser/ba-book-everything/tags/1.6.20/includes/class-babe-users.php#L203
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3152728%40ba-book-everything&new=3152728%40ba-book-everything&sfp_email=&sfph_mail=#file3
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b691560e-e285-467c-9d52-1620c63de1f0?source=cve
