CVERadar

CVE-2024-8512

Medium Severity

SVRS

30/100

CVSSv3

NA/10

EPSS

0.0193/1

CVE-2024-8512 is a critical Remote Code Execution vulnerability in the W3SPEEDSTER WordPress plugin. This flaw allows attackers with Administrator privileges to execute arbitrary code on the server. Specifically, versions up to and including 7.26 are affected because the 'script' parameter within the hookBeforeStartOptimization() function unsafely utilizes the eval() function with user-supplied input. Despite a low SVRS of 30, it's still a significant risk. Successful exploitation could lead to complete system compromise. Immediate patching or mitigation is advised if the plugin is in use, and if the SVRS was higher (above 80), the urgency would be far more critical. This vulnerability highlights the dangers of using eval() with untrusted input in web applications.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT

CVE Details

Access comprehensive CVE information instantly

Real-time Tracking

Subscribe to CVEs and get instant updates

Exploit Analysis

Monitor related APT groups and threats

IOC Tracking

Analyze and track CVE-related IOCs

News

CVE-2024-8512 | W3speedster Plugin up to 7.26 on WordPress neutralization of directives

vuldb.com2024-10-31

CVE-2024-8512 | W3speedster Plugin up to 7.26 on WordPress neutralization of directives | A vulnerability was found in W3speedster Plugin up to 7.26 on WordPress. It has been classified as critical. Affected is an unknown function. The manipulation leads to improper neutralization of directives in dynamically evaluated code ('eval injection'). This vulnerability is traded as CVE-2024-8512. It is possible to launch the attack remotely. There is

vuldb.com

rss

forum

news

Social Media

CVE

@CVEnew

2024-10-30

CVE-2024-8512 The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStart… https://t.co/DSLV14WvC0

CVEFind.com

@CveFindCom

2024-10-30

[CVE-2024-8512: CRITICAL] WordPress plugin W3SPEEDSTER is at risk due to a Remote Code Execution vulnerability in all versions up to 7.26. Attackers with admin access can exploit it via the 'script' parameter.#cybersecurity,#vulnerability https://t.co/laqIkWxqmb https://t.co/kAtckzh0aX

Affected Software

No affected software found for this CVE

References

Reference	Link
[email protected]	https://plugins.trac.wordpress.org/browser/w3speedster-wp/trunk/w3speedster.php#L740
[email protected]	https://plugins.trac.wordpress.org/changeset/3175640/
[email protected]	https://www.wordfence.com/threat-intel/vulnerabilities/id/2a56eb63-ba5c-4452-8ab9-f5aeaf53adda?source=cve

CWE Details

CWE ID	CWE Name	Description
CWE-95	Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')	The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. eval).

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence