CVE-2024-12583 - Remote Code Execution and Arbitrary File Read Vulnerability in Dynamics 365 Integration Plugin for WordPress

A critical vulnerability has been identified in the Dynamics 365 Integration plugin for WordPress, affecting all versions up to and including 1.3.23. This vulnerability, assigned the unique identifier of CVE-2024-12583, allows for Remote Code Execution (RCE) and Arbitrary File Read through Twig Server-Side Template Injection.

Vulnerability Details

Authenticated attackers with Contributor-level access and above can exploit this vulnerability to execute code on the server and read arbitrary files, potentially leading to further security risks such as privilege escalation and data leakage. This is due to missing input validation and sanitization in the render function of the plugin.

Attackers can craft malicious code snippets or templates in Twig to obtain sensitive data and execute arbitrary code within the context of the application. The attack vector relies on the inclusion of unsanitized user input in a Twig template.

Exploit Details

To exploit this vulnerability, an attacker with Contributor-level access or higher can send a malicious payload via a POST request to a vulnerable WordPress instance. The following code snippet demonstrates how the attacker can inject malicious Twig code:

{% set cmd = 'touch /tmp/CVE-2024-12583' %}
{% set res = cmd|eval %}

To send the payload, the attacker can create a malicious POST request using a tool like curl, as shown below:

curl -X POST -d "malicious_payload={{ urlencode('Twig code here') }}" \
 "http://example.com/wp-admin/admin-ajax.php";

For more information and details, please refer to the following sources

1. Dynamics 365 Integration Plugin Homepage
2. CVE-2024-12583 Vulnerability Information
3. Official Statement and Patch from Plugin Developers
4. Twig Documentation on Server-Side Template Injection

Mitigation

Updating the Dynamics 365 Integration plugin to the latest version 1.3.24+ is highly recommended, as it contains a patch to fix this vulnerability. The plugin developers have promptly addressed the issue, and the patch addresses the input validation and sanitization issues in the render function.

Conclusion

CVE-2024-12583 is a critical vulnerability that affects all versions of the Dynamics 365 Integration plugin for WordPress up to, and including, 1.3.23. It allows authenticated attackers, with Contributor-level access and above, to perform Remote Code Execution and Arbitrary File Read, posing significant security risks to affected websites.

To protect against this vulnerability, it is crucial to update the plugin to the latest version (1.3.24+) and ensure that user input is properly validated and sanitized.

Timeline

Published on: 01/04/2025 09:15:06 UTC