CVE-2024-3562 is a critical vulnerability classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, commonly known as 'Eval Injection') affecting the Custom Field Suite plugin for WordPress, developed by mgibbs189. The vulnerability exists in all versions up to and including 2.6.7 due to insufficient sanitization of input passed to the PHP eval() function within the Loop custom field feature. This flaw allows authenticated users with contributor-level permissions or higher to inject and execute arbitrary PHP code on the server hosting the WordPress site. Since eval() executes code dynamically, malicious input can lead to full remote code execution (RCE), enabling attackers to take over the server, manipulate site content, steal sensitive data, or disrupt service. The vulnerability requires authentication but no additional user interaction, and it is remotely exploitable over the network. The CVSS v3.1 base score is 8.8 (high), reflecting the ease of exploitation, the low attack complexity, and the severe impact on confidentiality, integrity, and availability. No official patches or updates have been released at the time of this report, and no known exploits are currently in the wild. However, the presence of this vulnerability in a widely used WordPress plugin poses a significant risk to websites relying on it for custom field management.

The impact of CVE-2024-3562 is severe for organizations running WordPress sites with the vulnerable Custom Field Suite plugin. Successful exploitation grants attackers the ability to execute arbitrary PHP code on the web server, effectively allowing full control over the affected system. This can lead to unauthorized data access, data modification or deletion, website defacement, deployment of malware or ransomware, and use of the compromised server as a pivot point for further attacks within the network. The vulnerability compromises confidentiality, integrity, and availability simultaneously. Given WordPress's widespread use in enterprises, government, and small businesses, the potential for large-scale exploitation exists, especially in environments where contributor-level access is granted to multiple users or where access controls are weak. The lack of public exploits currently limits immediate widespread attacks, but the vulnerability's nature and ease of exploitation make it a prime target for attackers once exploit code becomes available.

To mitigate CVE-2024-3562, organizations should immediately review and restrict user permissions, ensuring that only fully trusted users have contributor-level or higher access to WordPress sites using the Custom Field Suite plugin. Implement strict access controls and monitor user activities for suspicious behavior. Disable or remove the Custom Field Suite plugin if it is not essential. Since no official patch is currently available, consider applying temporary code-level mitigations such as disabling or sandboxing the eval() function usage within the plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable eval() call. Regularly audit and update all WordPress plugins and core installations to the latest versions once patches are released. Additionally, maintain robust backups and incident response plans to quickly recover from potential compromises.