The vulnerability identified as CVE-2024-36679 affects the Live Chat Pro (All in One Messaging) module, specifically versions up to and including 8.4.0. The root cause is a PHP code injection flaw in the method Lcp::saveTranslations(), which is exploited due to a predictable token that controls a white writer mechanism. This predictable token allows an unauthenticated guest user to inject arbitrary PHP code into a PHP file on the server. The injection occurs because the module fails to properly validate or sanitize input before writing it into executable PHP files. This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), which is a critical security weakness enabling attackers to execute arbitrary code remotely. The CVSS 3.1 base score is 10.0, reflecting the highest severity with network attack vector, no required privileges, no user interaction, and a scope change that affects the entire system. Exploiting this vulnerability could allow attackers to execute arbitrary commands, escalate privileges, manipulate or steal data, and disrupt service availability. Although no public exploits have been reported yet, the ease of exploitation and critical impact make this a high-priority threat for any organization using the affected module in their web infrastructure.

The impact of CVE-2024-36679 is severe and wide-ranging. Attackers can remotely execute arbitrary PHP code without authentication, leading to full system compromise. This includes the ability to steal sensitive data, modify or delete files, install persistent backdoors, pivot within internal networks, and disrupt service availability. Organizations relying on the Live Chat Pro module for customer interaction or messaging services risk exposure of confidential customer information and potential defacement or downtime of their websites. The vulnerability’s exploitation could also facilitate further attacks such as ransomware deployment or lateral movement within enterprise networks. Given the module’s use in web applications, the attack surface is broad, potentially affecting any organization using this software, especially those with public-facing web servers. The critical severity and ease of exploitation mean that the threat is urgent and could lead to significant operational, reputational, and financial damage if not addressed promptly.

To mitigate CVE-2024-36679, organizations should immediately audit their use of the Live Chat Pro module and identify affected versions (<=8.4.0). Since no official patches are currently linked, temporary mitigations include disabling or removing the vulnerable module until a fix is released. Restricting web server write permissions to prevent unauthorized PHP file modifications can reduce exploitation risk. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious requests targeting the saveTranslations() method or unusual POST requests can provide interim protection. Monitoring web server logs for anomalous activity related to the module is critical for early detection. Organizations should also enforce strict input validation and sanitization practices in custom code and ensure that tokens or authentication mechanisms are unpredictable and securely implemented. Once a vendor patch is available, prompt application of updates is essential. Additionally, conducting regular security assessments and penetration tests focusing on third-party modules can help identify similar risks proactively.