CVE-2024-9193

CVE-2024-9193 is a local file inclusion (LFI) vulnerability in the WHMpress - WHMCS WordPress Integration Plugin for WordPress, affecting all versions up to and including 6.3-revision-0. The issue resides in the whmpress_domain_search_ajax_extended_results() function, which allows unauthenticated attackers to include and execute arbitrary files on the server. This enables PHP code execution from included files, potentially bypassing access controls or accessing sensitive data, particularly when "safe" file types like images can be uploaded and then included.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows arbitrary PHP code execution, updating of WordPress options, and leveraging the /admin/services.php file to set the default user registration role to administrator while enabling registration. This grants attackers administrative access to the site.

Mitigation details are available in the plugin's change log at https://whmpress.com/docs/change-log/ and Wordfence's threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/5f3b0e75-d2f0-48b7-ba33-75c4e998030e?source=cve. Security practitioners should review these for patch information and update to a fixed version if available.