CVE-2024-9461
📋 TL;DR
This vulnerability allows authenticated attackers with Administrator-level WordPress access to execute arbitrary code on the server via the cron_interval parameter in the Total Upkeep plugin. All WordPress sites using vulnerable versions of this plugin are affected. The issue stems from missing input validation and sanitization.
💻 Affected Systems
- Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
📦 What is this software?
Total Upkeep by Boldgrid
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to install malware, steal data, deface websites, or use the server for further attacks.
Likely Case
Attackers with compromised admin credentials could execute code to establish persistence, exfiltrate sensitive data, or deploy ransomware.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploitation requires administrator credentials but is straightforward once access is obtained. The vulnerability is well-documented with public references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.16.7 or later
Vendor Advisory: https://wordpress.org/plugins/boldgrid-backup/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Total Upkeep' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.16.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Total Upkeep plugin until patched
wp plugin deactivate boldgrid-backup
Restrict admin access
allImplement strict access controls and monitoring for WordPress administrator accounts
🧯 If You Can't Patch
- Implement strict monitoring of WordPress administrator account activity and failed login attempts
- Deploy web application firewall rules to detect and block suspicious cron_interval parameter manipulation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Total Upkeep version. If version is 1.16.6 or lower, you are vulnerable.Check Version:
wp plugin get boldgrid-backup --field=versionVerify Fix Applied:
Verify plugin version is 1.16.7 or higher in WordPress admin panel. Test cron functionality to ensure plugin still works properly.📡 Detection & Monitoring
Log Indicators:
- Unusual cron_interval parameter values in WordPress logs
- Suspicious administrator account activity
- Unexpected PHP execution in plugin directories
Network Indicators:
- Unusual outbound connections from WordPress server post-admin login
- HTTP requests with manipulated cron_interval parameters
SIEM Query:
source="wordpress.log" AND ("cron_interval" OR "boldgrid-backup") AND status=200 AND user_role="administrator"