This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Unauthenticated Arbitrary Options Update in **Image Hover Effects Ultimate** plugin. <br>π₯ **Consequences**: Full website compromise.β¦
π‘οΈ **CWE**: CWE-284 (Improper Access Control). <br>π **Flaw**: The plugin fails to verify user permissions before allowing updates to critical options. No authentication required to trigger this flaw.
Q3Who is affected? (Versions/Components)
π’ **Vendor**: Oxilab. <br>π¦ **Product**: Image Hover Effects Ultimate (WordPress Plugin). <br>π **Affected Versions**: **9.6.1 and earlier**. If you are on an older version, you are at risk!
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Privileges**: **Unauthenticated** access. No login needed. <br>π **Data**: Full website control. Attackers can read sensitive data, modify site content, and potentially install backdoors.β¦
β‘ **Threshold**: **LOW**. <br>π **Auth**: None required. <br>βοΈ **Config**: Low complexity. Any visitor can exploit this remotely. It is an easy target for automated bots.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Public Exp?**: **YES**. <br>π **PoC**: Available via Nuclei templates (ProjectDiscovery). <br>π **Status**: Wild exploitation is likely given the ease of use and lack of authentication.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: <br>1. Check WordPress plugin list for **Image Hover Effects Ultimate**. <br>2. Verify version is **β€ 9.6.1**. <br>3.β¦
π§ **No Patch?**: <br>1. **Disable** the plugin immediately if not in use. <br>2. **Delete** the plugin if unnecessary. <br>3. Restrict access to `wp-admin` if possible. <br>4.β¦
π₯ **Urgency**: **CRITICAL**. <br>β±οΈ **Priority**: **P0**. <br>π **Reason**: Unauthenticated, easy to exploit, and leads to full compromise. Patch immediately to prevent data breaches and site takeover.