CVE-2024-9942
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files to WordPress sites using the WPGYM Gym Management System plugin due to missing file type validation. Attackers can potentially achieve remote code execution by uploading malicious files like PHP shells. All WordPress sites with this plugin installed are affected.
💻 Affected Systems
- WPGYM - WordPress Gym Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, or use as part of a botnet.
Likely Case
Website defacement, malware distribution, credential theft, or cryptocurrency mining.
If Mitigated
Limited impact if file execution is prevented through web server configuration or security plugins.
🎯 Exploit Status
Simple file upload bypass vulnerability that can be exploited with basic HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 67.1.0
Vendor Advisory: https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPGYM Gym Management System. 4. Click 'Update Now' if available. 5. If no update available, deactivate and remove the plugin immediately.
🔧 Temporary Workarounds
Web Server File Restriction
allConfigure web server to block execution of uploaded files in upload directories.
# For Apache: Add to .htaccess in wp-content/uploads/
<FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block
location ~* /wp-content/uploads/.*\.(php|php5|php7|phtml|phar)$ {
deny all;
}
🧯 If You Can't Patch
- Immediately deactivate and remove the WPGYM plugin from all WordPress installations.
- Implement web application firewall (WAF) rules to block file uploads to the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WPGYM Gym Management System version 67.1.0 or earlier.Check Version:
# Check via WordPress CLI if available
wp plugin list --name="WPGYM" --field=versionVerify Fix Applied:
Verify plugin version is higher than 67.1.0 or plugin is completely removed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=mj_gmgt_user_avatar_image_upload
- File uploads with non-image extensions in wp-content/uploads/ directories
- Multiple failed upload attempts from single IP
Network Indicators:
- HTTP POST requests with file uploads to WordPress admin-ajax endpoint
- Traffic spikes to upload directories
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND (form_data CONTAINS "mj_gmgt_user_avatar_image_upload" OR user_agent CONTAINS "wpgym")