CVE-2024-6365 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code, or Code Injection) found in the Product Table by WBW WordPress plugin. The vulnerability resides in the 'saveCustomTitle' function within the languages/customTitle.php file, where the plugin fails to perform proper authorization checks and input sanitization on data appended during the save operation. This allows unauthenticated attackers to inject and execute arbitrary code on the server hosting the WordPress site. The vulnerability affects all versions up to and including 2.0.1, making it widespread among users of this plugin. The CVSS 3.1 base score of 9.8 reflects the vulnerability’s critical nature, with an attack vector of network (remote), no privileges required, no user interaction needed, and full impact on confidentiality, integrity, and availability. The lack of authentication and sanitization means an attacker can remotely execute code, potentially leading to full server compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Although no public exploits have been reported yet, the vulnerability’s characteristics make it highly exploitable. The plugin is commonly used to create sortable, filterable product tables in WordPress, often in e-commerce or catalog sites, increasing the attractiveness of targets. The vulnerability was published on July 9, 2024, with no official patch available at the time of reporting, emphasizing the urgency for mitigation.

The impact of CVE-2024-6365 is severe for organizations worldwide using the Product Table by WBW plugin. Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the web server, potentially leading to full system compromise. This can result in data breaches, unauthorized data modification, website defacement, deployment of malware or ransomware, and use of the compromised server as a launchpad for attacks on internal networks. The confidentiality, integrity, and availability of affected systems are all at high risk. Organizations relying on WordPress for e-commerce, content management, or customer-facing portals are particularly vulnerable, as attackers could disrupt business operations or steal sensitive customer data. The vulnerability’s ease of exploitation and lack of required authentication make it a prime target for automated attacks and wormable exploits, increasing the risk of widespread compromise if not addressed promptly.

1. Immediately update the Product Table by WBW plugin to a patched version once available. Monitor the vendor’s announcements for official patches. 2. If no patch is available, temporarily disable or uninstall the plugin to eliminate the attack surface. 3. Restrict access to the vulnerable 'saveCustomTitle' function or related endpoints using web application firewalls (WAFs) or server-level access controls to block unauthorized requests. 4. Implement strict input validation and sanitization on any user-supplied data related to the plugin, if custom modifications are possible. 5. Monitor web server and application logs for suspicious activity, such as unexpected POST requests to the vulnerable function or unusual code execution patterns. 6. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability. 7. Harden WordPress installations by following best practices, including least privilege for file permissions and disabling unnecessary plugins. 8. Conduct regular backups of affected systems to enable recovery in case of compromise. 9. Educate site administrators about the risk and signs of exploitation to enable rapid response.