One Click Demo Import Vulnerability – Authenticated (Admin+) PHP Object Injection – CVE-2024-34433 | WordPress Plugin Vulnerability Report
Plugin Name: One Click Demo Import
Key Information:
- Software Type: Plugin
- Software Slug: one-click-demo-import
- Software Status: Active
- Software Author: smub
- Software Downloads: 15,730,116
- Active Installs: 1,000,000
- Last Updated: May 7, 2024
- Patched Versions: 3.2.1
- Affected Versions: <= 3.2.0
Vulnerability Details:
- Name: One Click Demo Import <= 3.2.0 - Authenticated (Admin+) PHP Object Injection
- Type: Deserialization of Untrusted Data
- CVE: CVE-2024-34433
- CVSS Score: 7.2 (High)
- Publicly Published: May 7, 2024
- Researcher: ngductung
- Description: The One Click Demo Import plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Summary:
The One Click Demo Import plugin for WordPress has a vulnerability in versions up to and including 3.2.0 that allows authenticated attackers with Administrator-level access and above to inject a PHP Object via deserialization of untrusted input. This vulnerability has been patched in version 3.2.1.
Detailed Overview:
The vulnerability was discovered by researcher ngductung and publicly published on May 7, 2024. It is located in the deserialization process of the One Click Demo Import plugin, where untrusted input can be used to inject a PHP Object. While no known POP chain is present in the plugin itself, if a POP chain exists through another installed plugin or theme, an attacker could potentially delete arbitrary files, retrieve sensitive data, or execute code.
Advice for Users:
- Immediate Action: Users should update the One Click Demo Import plugin to version 3.2.1 or later to ensure their WordPress installations are secure.
- Check for Signs of Vulnerability: Users should review their WordPress sites for any suspicious activity or unauthorized changes that may indicate a compromise.
- Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 3.2.1 or later to secure their WordPress installations.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/one-click-demo-import
Detailed Report:
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.