WordPress Plugin Vulnerabilities

Cwicly < 1.4.0.3 - Authenticated (Contributor+) Remote Code Execution

Description

The Cwicly plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.4.0.2. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
cwicly
Fixed in 1.4.0.3

References

CVE
CVE-2024-24707
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/21bcb740-6340-4ff7-815f-539175936ca1

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Snicco
Verified
No
WPVDB ID
e205baac-2891-42b3-b06c-c1b0612b4bd0

Timeline

Publicly Published
2024-02-14 (about 2 years ago)
Added
2024-02-20 (about 2 years ago)
Last Updated
2024-02-20 (about 2 years ago)

Other

Published
Title
Published
2024-02-14
Title
Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
Published
2025-04-25
Title
Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution
Published
2025-11-24
Title
Sneeit Framework < 8.4 - Unauthenticated Remote Code Execution in sneeit_articles_pagination_callback
Published
2024-10-14
Title
AADMY – Add Auto Date Month Year Into Posts < 2.0.2 - Unauthenticated Arbitrary Shortcode Execution
Published
2025-01-30
Title
WooCommerce Product Table Lite < 3.9.5 - Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting