{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8512", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-09-06T13:43:10.915Z", "datePublished": "2024-10-30T11:00:59.962Z", "dateUpdated": "2024-10-30T14:04:13.997Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-10-30T11:00:59.962Z"}, "affected": [{"vendor": "w3speedster", "product": "W3SPEEDSTER", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "7.26", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}], "title": "W3SPEEDSTER <= 7.26 - Authenticated (Administrator+) Remote Code Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a56eb63-ba5c-4452-8ab9-f5aeaf53adda?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/w3speedster-wp/trunk/w3speedster.php#L740"}, {"url": "https://plugins.trac.wordpress.org/changeset/3175640/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "cweId": "CWE-95", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lesor101"}], "timeline": [{"time": "2024-10-29T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-30T13:51:21.318670Z", "id": "CVE-2024-8512", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-30T14:04:13.997Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8512", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-30T13:51:21.318670Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-30T13:54:28.030Z"}}], "cna": {"title": "W3SPEEDSTER <= 7.26 - Authenticated (Administrator+) Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "Lesor101"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "w3speedster", "product": "W3SPEEDSTER", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.26"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-10-29T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a56eb63-ba5c-4452-8ab9-f5aeaf53adda?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/w3speedster-wp/trunk/w3speedster.php#L740"}, {"url": "https://plugins.trac.wordpress.org/changeset/3175640/"}], "descriptions": [{"lang": "en", "value": "The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-95", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-10-30T11:00:59.962Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8512", "state": "PUBLISHED", "dateUpdated": "2024-10-30T14:04:13.997Z", "dateReserved": "2024-09-06T13:43:10.915Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-10-30T11:00:59.962Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}, {"lang": "es", "value": "El complemento W3SPEEDSTER para WordPress es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo en todas las versiones hasta la 7.26 incluida a trav\u00e9s del par\u00e1metro 'script' de la funci\u00f3n hookBeforeStartOptimization(). Esto se debe a que el complemento pasa la informaci\u00f3n proporcionada por el usuario a eval(). Esto permite que atacantes autenticados, con acceso de nivel de administrador o superior, ejecuten c\u00f3digo en el servidor."}], "id": "CVE-2024-8512", "lastModified": "2024-11-01T12:57:03.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2024-10-30T11:15:15.963", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/w3speedster-wp/trunk/w3speedster.php#L740"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3175640/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a56eb63-ba5c-4452-8ab9-f5aeaf53adda?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-95"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}