CVE-2024-5488
published 2024-07-09CVE-2024-5488: The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.77%
88.6th percentile
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seopress | seopress | < 7.9 | 7.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Probe for unauthenticated access to the SEOPress REST API route by sending a PUT request to /wp-json/seopress/v1/posts/{id}/title-description-metas without credentials; a response containing 'Sorry, you are not allowed to do that.' confirms the endpoint exists but is (partially) protected. ↗
- →Exploitation is confirmed when a PUT request with Basic auth using any password (e.g., 'aaaaaa') against the SEOPress REST API returns a JSON success response containing '"code":"success"', indicating authentication bypass. ↗
- →Monitor for PUT requests to WordPress REST API paths matching the pattern /wp-json/seopress/v1/posts/*/title-description-metas, especially from unauthenticated or weakly-authenticated sources, as this is the vulnerable endpoint enabling auth bypass and object injection. ↗
- →A three-step attack flow is used: (1) confirm endpoint existence via unauthenticated PUT, (2) exploit auth bypass via Basic auth with arbitrary password, (3) verify data write via GET to the same endpoint. Alert on this sequence from a single source IP. ↗
- ·The object injection gadget chain exploitation is only possible if a suitable PHP gadget chain is present in the target WordPress environment (e.g., via other installed plugins or themes). The auth bypass alone does not guarantee RCE. ↗
- ·The Nuclei template targets post ID 1 specifically; in real-world exploitation, attackers may iterate over arbitrary post IDs. Detection rules should not be limited to post ID 1. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS TP-Link TL-WR940N Hardware v3/v4 Authenticated Remote Code Execution (CVE-2024-54887)
suricata·2025-01-27·CVSS 8.0
CVE-2024-54887 [HIGH] ET WEB_SPECIFIC_APPS TP-Link TL-WR940N Hardware v3/v4 Authenticated Remote Code Execution (CVE-2024-54887)
ET WEB_SPECIFIC_APPS TP-Link TL-WR940N Hardware v3/v4 Authenticated Remote Code Execution (CVE-2024-54887)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TP-Link TL-WR940N Hardware v3/v4 Authenticated Remote Code Execution (CVE-2024-54887)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/userRpm/Wan6to4TunnelCfgRpm.htm?"; fast_pattern; content:"dnsserver"; pcre:"/^[12]\x3d[^\x26]*?\x27\x70\xc0\x01\x2a/R"; reference:url,infosecwriteups.com/reversing-discovering-and-exploiting-a-tp-link-router-vulnerability-cve-2024-54887-341552c4b104; reference:cve,2024-54887; classtype:web-application-attack; sid:2059682; rev:1; metadata:affected_product TPLINK, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_27, cve CVE_2024_5488
Nuclei
SEOPress < 7.9 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-5488 [CRITICAL] SEOPress < 7.9 - Authentication Bypass
SEOPress < 7.9 - Authentication Bypass
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.
Template:
id: CVE-2024-5488
info:
name: SEOPress < 7.9 - Authentication Bypass
author: pdresearch,iamnoooob,rootxharsh
severity: critical
description: |
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.
impact: |
Unauthenticated attacker
No writeups or analysis indexed.
2024-07-09
Published