CVE-2024-9193 is a critical vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement) found in the WHMpress - WHMCS WordPress Integration Plugin. This plugin integrates WHMCS billing and client management with WordPress. The vulnerability exists in the whmpress_domain_search_ajax_extended_results() function, which improperly handles user input used in file inclusion operations. This flaw allows unauthenticated attackers to perform Local File Inclusion (LFI), enabling them to include arbitrary files from the server. Because PHP code in these files can be executed, attackers can run arbitrary PHP commands, leading to full remote code execution. Additionally, attackers can exploit the /admin/services.php endpoint to modify WordPress options, such as changing the default user role to administrator and enabling user registration. This results in attackers creating administrative accounts without authorization. The vulnerability affects all versions up to and including 6.3-revision-0 of the plugin. The CVSS 3.1 base score is 9.8, reflecting the vulnerability's ease of exploitation (network vector, no privileges or user interaction required) and its severe impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the critical nature and ease of exploitation make this a high-risk threat for WordPress sites using this plugin.

The impact of CVE-2024-9193 is severe for organizations running WordPress sites with the WHMpress plugin. Successful exploitation allows attackers to execute arbitrary PHP code remotely without authentication, leading to full server compromise. Attackers can bypass access controls, steal sensitive data, and manipulate site configurations. By changing the default user role to administrator and enabling user registration, attackers can create privileged accounts, maintaining persistent control over the site. This can result in data breaches, defacement, malware distribution, and use of the compromised server as a pivot point for further attacks within an organization's network. The vulnerability threatens the confidentiality, integrity, and availability of affected systems and can severely damage organizational reputation and trust.

1. Immediate upgrade or patching: Monitor the plugin vendor for an official security update addressing CVE-2024-9193 and apply it promptly. 2. If patching is not immediately possible, disable or remove the WHMpress plugin to eliminate the attack surface. 3. Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit LFI via the vulnerable function, focusing on suspicious file inclusion patterns and unauthorized access to /admin/services.php. 4. Restrict file upload capabilities and validate file types rigorously to prevent uploading malicious PHP files disguised as safe types. 5. Harden WordPress configurations by disabling user registration if not required and enforcing least privilege principles on user roles. 6. Monitor logs for unusual access patterns, especially related to the vulnerable endpoints and changes in user roles or registrations. 7. Conduct regular security audits and vulnerability scans to detect exploitation attempts early. 8. Employ intrusion detection/prevention systems to alert on or block suspicious activity targeting the plugin.