CVE-2024-9593

nvd nist nuclei

Published: Oct 18, 2024Modified: Oct 29, 2024

8.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Exploitability: 3.9 / Impact: 3.7

Source: NVD

Description

The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.

Affected (2)

Products: Wpplugin: Time Clock

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Wpplugin Time Clock	Up to 1.2.2
Wpplugin Time Clock	Up to 1.1.4

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (3)

https://plugins.trac.wordpress.org/browser/time-clock/tags/1.2.2/includes/admin/ajax_functions_admin.php#L58

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/changeset/3171046/time-clock#file40

Source: security@wordfence.com

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/247e599a-74e2-41d5-a1ba-978a807e6544?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.