CVE-2024-12583
Published: 04 January 2025
Description
The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
Security Summary
CVE-2024-12583 is a critical vulnerability in the Dynamics 365 Integration plugin for WordPress, affecting all versions up to and including 1.3.23. It enables Remote Code Execution (RCE) and Arbitrary File Read through Twig Server-Side Template Injection (SSTI), resulting from missing input validation and sanitization in the plugin's render function. The flaw carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-1336.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation allows them to execute arbitrary code on the server, read arbitrary files, and achieve high-impact confidentiality, integrity, and availability violations, potentially leading to full compromise of the affected WordPress site.
Advisories and references include the vulnerable code in Twig.php at https://plugins.trac.wordpress.org/browser/integration-dynamics/trunk/src/Shortcode/Twig.php#L53, a patch in WordPress plugin changeset 3210927 at https://plugins.trac.wordpress.org/changeset/3210927/, and further details from the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3dac5a-9ff8-4e8c-8c73-422123e121d8?source=cve.
Details
- CWE(s)