CVE-2024-6297 is a critical security vulnerability identified in the Social Sharing Plugin – Social Warfare (version 4.4.6.4) for WordPress. The vulnerability arises from the compromise of the plugin's source code repository, where threat actors injected malicious PHP scripts directly into the plugin codebase. This embedded malicious code performs several harmful actions: it exfiltrates sensitive database credentials, allowing attackers to gain unauthorized access to the backend database; it creates new administrator-level user accounts within the WordPress installation, granting persistent and elevated access; and it transmits stolen credentials and user data back to a remote command and control server controlled by the attacker. The exploit requires no authentication or user interaction, enabling remote attackers to fully compromise vulnerable WordPress sites without any user involvement. The vulnerability is classified under CWE-506 (Embedded Malicious Code), indicating that the malicious payload is embedded within legitimate plugin code, making detection more difficult. The CVSS v3.1 base score is 10.0, reflecting the criticality of the vulnerability with network attack vector, low attack complexity, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. Although no active exploits have been reported in the wild yet, the presence of malicious code in a widely used WordPress plugin poses a significant risk. The lack of available patches at the time of disclosure further exacerbates the threat, necessitating immediate action by site administrators. This vulnerability highlights the risks associated with supply chain attacks on open-source software components, especially popular CMS plugins.

The impact of CVE-2024-6297 is severe and multifaceted. Successful exploitation results in full compromise of the affected WordPress site, including unauthorized access to sensitive database information such as user credentials, personal data, and potentially payment information if stored. The creation of new administrator accounts enables attackers to maintain persistent control, modify site content, deploy additional malware, or use the site as a launchpad for further attacks within the hosting environment or network. This can lead to data breaches, defacement, loss of customer trust, and regulatory penalties. The availability of the website may also be affected if attackers deploy ransomware or disruptive payloads. Given WordPress's widespread use globally, especially among small to medium businesses, blogs, and e-commerce sites, the scale of potential impact is large. Organizations relying on this plugin without timely mitigation risk significant operational and reputational damage. Additionally, the embedded nature of the malicious code complicates detection and remediation, increasing the likelihood of prolonged undetected compromise.

Immediate mitigation steps include uninstalling the affected Social Warfare plugin version 4.4.6.4 from all WordPress installations until a verified clean and patched version is released. Administrators should conduct comprehensive malware scans using reputable WordPress security tools and endpoint detection solutions to identify and remove any malicious code or unauthorized administrator accounts created by attackers. It is critical to rotate all database credentials and WordPress administrator passwords to prevent ongoing unauthorized access. Monitoring network traffic for unusual outbound connections to unknown servers can help detect exfiltration attempts. Implementing strict file integrity monitoring on plugin directories can alert administrators to unauthorized code changes. Organizations should also review their WordPress update policies to ensure plugins are sourced from trusted repositories and verify plugin integrity before deployment. Employing web application firewalls (WAFs) with rules targeting known malicious payloads and anomalous behavior can provide additional protection. Finally, maintain regular backups of WordPress sites to enable rapid recovery if compromise occurs.