cbcvebase.
CVE-2024-9193
published 2025-02-28

CVE-2024-9193: The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.11%
86.2th percentile
The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. Utilizing the /admin/services.php file, this can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affected

3 ranges
VendorProductVersion rangeFixed in
creativeonwhmpress_whmcs_wordpress_integration_plugin<= 6.3-revision-0
whmpresswhmcs< 6.36.3
whmpresswhmcs

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=whmpress_action&do=whmpress_domain_search_ajax_extended_results&page_size=1&is_title=no&params[style]=../../../../../../../../../../../usr/local/lib/php/pearcmd
path/tmp/
  • Detect unauthenticated POST requests to /wp-admin/admin-ajax.php containing the parameter 'action=whmpress_action' combined with 'do=whmpress_domain_search_ajax_extended_results' — this is the vulnerable AJAX handler for CVE-2024-9193.
  • Monitor for response bodies containing both 'whmpress_action' and 'CHANNEL PEAR.PHP.NET', or 'PEAR_Config', which are indicators of successful pearcmd-based LFI exploitation.
  • Monitor WordPress options changes (e.g., default_role set to 'administrator', user_registration enabled) following exploitation, as attackers leverage /admin/services.php to escalate privileges.
  • Flag PHP file creation or inclusion from /tmp/ (e.g., /tmp/*.php) on the web server, which is a common second-stage indicator when pearcmd is abused to write and then include a webshell.
  • ·The vulnerability affects WHMpress plugin versions up to and including 6.3-revision-0; ensure version checks are scoped accordingly to avoid false positives on patched installations.
  • ·The attack is unauthenticated — no session or nonce is required — meaning perimeter controls relying on authentication checks will not block exploitation of this endpoint.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.