CVE-2024-9193 — AI Deep Analysis Summary

🚨 **Essence**: Local File Inclusion (LFI) in WHMpress plugin. 💥 **Consequences**: Arbitrary PHP code execution, bypassing access controls, and gaining full admin rights to the WordPress site.

🛡️ **Root Cause**: CWE-98 (Improper Control of Filename for Include/Require). The flaw exists in the `whmpress_domain_search_ajax_extended_results()` function, allowing unauthenticated file inclusion.

📦 **Affected**: WordPress Plugin **WHMpress** by **creativeon**. Versions **6.3-revision-0 and earlier** are vulnerable. It integrates WHMCS with WordPress.

💀 **Attacker Actions**: Execute arbitrary PHP code. Update arbitrary WordPress options. Change default registration role to **Administrator**. Enable user registration to gain full site control.

⚡ **Threshold**: **LOW**. No authentication (PR:N) required. Low complexity (AC:L). No user interaction (UI:N) needed. Remote exploitation (AV:N) is possible.

🔍 **Exploit Status**: **YES**. Public PoC available via ProjectDiscovery Nuclei templates. Wild exploitation is likely due to the low barrier to entry.

🔎 **Self-Check**: Scan for the plugin **WHMpress** version ≤ 6.3-revision-0. Use Nuclei templates targeting CVE-2024-9193. Check if `whmpress_domain_search_ajax_extended_results` is exposed.

🩹 **Fix**: Update WHMpress plugin to a version **newer than 6.3-revision-0**. Check the vendor's changelog for the patched release.

🚧 **No Patch?**: Disable the WHMpress plugin immediately. Restrict access to `/admin/services.php`. Implement WAF rules to block LFI patterns in query parameters.

🔥 **Urgency**: **CRITICAL**. CVSS Score is **High** (likely 9.8). Unauthenticated remote code execution allows immediate site takeover. Patch immediately!