CVE-2024-6297

Several WordPress.org Plugins <= Various Versions - Injected Backdoor

CVSS 10 CRITICALEPSS 1.0%

Vexday Risk Score

48Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 10EPSS 1.0%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

25 Jun 2024Published on NVD

10 Jan 2026Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. Currently, not all plugins have been patched and we strongly recommend uninstalling the plugins for the time being and running a complete malware scan.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

blazeretail · BLAZE Retail Widget pedrogusmao02 · Wrapper Link Elementor stuartobrien · Simply Show Hooks themerex · Contact Form 7 Multi-Step Addon warfareplugins · Social Sharing Plugin – Social Warfare

public PoCs found — 1

githubgithub.com/Sudo-WP/sudowp-hooks-visualizer★ 2

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References