CVE-2024-9593
Published: 18 October 2024
Summary
CVE-2024-9593 is a high-severity Code Injection (CWE-94) vulnerability in Wpplugin Time Clock. Its CVSS base score is 8.3 (High).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Time Clock and Time Clock Pro plugins for WordPress are vulnerable to remote code execution in versions through 1.2.2 and 1.1.4 respectively. The flaw resides in the etimeclockwp_load_function_callback function, which permits invocation of arbitrary server-side functions and is tracked as CWE-94. The issue carries a CVSS 3.1 score of 8.3 with a network attack vector, no required privileges or user interaction, and changed scope.
Unauthenticated remote attackers can trigger the callback to execute code on the hosting server. Although the attacker cannot supply parameters to the invoked function, successful exploitation still allows limited control over confidentiality, integrity, and availability within the affected WordPress installation.
Public references from Wordfence and the WordPress plugin repository document the vulnerable code path and include changeset 3171046 that addresses the issue in subsequent releases. The current EPSS of 0.8550 indicates substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50045
Vulnerability details
The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated…
more
attackers to execute code on the server. The invoked function's parameters cannot be specified.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.