CVE-2024-9193
📋 TL;DR
This vulnerability in the WHMpress WordPress plugin allows unauthenticated attackers to include and execute arbitrary PHP files on the server via Local File Inclusion. Attackers can leverage this to gain administrative access by modifying WordPress settings and registering themselves as administrators. All WordPress sites using WHMpress plugin versions up to 6.3-revision-0 are affected.
💻 Affected Systems
- WHMpress - WHMCS WordPress Integration Plugin
📦 What is this software?
Whmcs by Whmpress
Whmcs by Whmpress
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise with administrative access, data theft, defacement, and potential server takeover if combined with other vulnerabilities.
Likely Case
Administrative account creation leading to site takeover, data exfiltration, and malware installation.
If Mitigated
Limited impact if file uploads are restricted and proper file permissions prevent PHP execution in upload directories.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. Attackers can chain this with file upload capabilities to achieve remote code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 6.3-revision-0
Vendor Advisory: https://whmpress.com/docs/change-log/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WHMpress plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Immediate Plugin Deactivation
allTemporarily disable the vulnerable plugin to prevent exploitation
wp plugin deactivate whmpress
Restrict File Upload Directories
linuxPrevent PHP execution in WordPress upload directories
echo 'deny from all' > /path/to/wp-content/uploads/.htaccess
chmod 644 /path/to/wp-content/uploads/.htaccess
🧯 If You Can't Patch
- Immediately deactivate and remove the WHMpress plugin from all WordPress installations
- Implement web application firewall rules to block requests to whmpress_domain_search_ajax_extended_results function
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WHMpress version 6.3-revision-0 or earlierCheck Version:
wp plugin get whmpress --field=versionVerify Fix Applied:
Verify WHMpress plugin version is higher than 6.3-revision-0 or plugin is completely removed📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'whmpress_domain_search_ajax_extended_results' in URL parameters
- Unusual file inclusion attempts in WordPress logs
- Multiple failed login attempts followed by successful admin login from new IP
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with whmpress parameters
- Unusual file uploads to WordPress media library
SIEM Query:
source="wordpress.log" AND "whmpress_domain_search_ajax_extended_results"