Check & Log Email Vulnerability – Unauthenticated Hook Injection – CVE-2024-0866 |WordPress Plugin Vulnerability Report
Plugin Name: Check & Log Email
Key Information:
- Software Type: Plugin
- Software Slug: check-email
- Software Status: Active
- Software Author: checkemail
- Software Downloads: 1,430,487
- Active Installs: 100,000
- Last Updated: March 25, 2024
- Patched Versions: 1.0.10
- Affected Versions: <= 1.0.9
Vulnerability Details:
- Name: Check & Log Email <= 1.0.9
- Title: Unauthenticated Hook Injection
- Type: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVE: CVE-2024-0866
- CVSS Score: 8.1
- Publicly Published: March 25, 2024
- Researcher: Sean Murphy
- Description: The Check & Log Email plugin for WordPress, essential for monitoring and logging emails sent from your WordPress site, has been identified with a critical vulnerability in versions up to and including 1.0.9. This vulnerability allows unauthenticated attackers to exploit the check_nonce function for Unauthenticated Hook Injection. This security flaw requires the attacker to know a nonce that is used in a hook that lacks a capability check, presenting a significant risk under certain conditions.
Summary:
The Check & Log Email plugin is vital for WordPress users who need to ensure the reliability of their email functionality. However, the discovery of an Unauthenticated Hook Injection vulnerability in versions up to 1.0.9 poses a serious security threat, potentially allowing attackers to execute arbitrary actions within WordPress. This vulnerability has been responsibly addressed in the newly released patch, version 1.0.10.
Detailed Overview:
This vulnerability, unveiled by researcher Sean Murphy, highlights a concerning lapse in the security measures of the Check & Log Email plugin. The exploit hinges on the attacker's ability to manipulate hooks in WordPress without authentication, provided they can bypass the nonce check designed to prevent such unauthorized actions. The high CVSS score of 8.1 reflects the severity of this vulnerability, emphasizing the potential for data compromise, integrity violation, and availability impact on affected WordPress sites.
Advice for Users:
To protect your WordPress site from this vulnerability, it is imperative to update the Check & Log Email plugin to the patched version, 1.0.10, immediately. Additionally, site administrators should remain vigilant for signs of compromise and consider employing additional security measures, such as security plugins and regular security audits. While a patch is available, exploring alternative plugins offering similar functionality may also be advisable as a precautionary measure. Above all, the consistent updating of all WordPress components is crucial for maintaining a secure digital environment.
Conclusion:
The prompt resolution of this vulnerability by the developers of the Check & Log Email plugin underscores the critical nature of timely software updates in safeguarding WordPress sites. Users are encouraged to verify that their installations are updated to version 1.0.10 or later, ensuring protection against the identified Unauthenticated Hook Injection vulnerability and reinforcing their site's defenses against potential future threats.