This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Unauthenticated Arbitrary Plugin Installation. π₯ **Consequences**: Attackers can install malicious plugins (webshells), leading to full site compromise, data theft, and server takeover.β¦
π‘οΈ **CWE-862**: Missing Authorization. π **Flaw**: The `install_or_activate_addon_plugins()` function lacks a capability check. ποΈ **Weakness**: The nonce hash is weak, allowing bypass of authentication checks.
π **Privileges**: Unauthenticated access (No login needed). π **Data**: Full control over the WordPress installation. πΈοΈ **Action**: Install arbitrary PHP plugins/webshells.β¦
π **Public Exp?**: **YES**. π **PoC**: Available on GitHub (gmh5225). π€ **Scanner**: Nuclei templates available (projectdiscovery). π **Method**: POST request to REST API with malicious ZIP URL.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for REST endpoint `/autonami-app/plugin/install_and_activate`. π **Tool**: Use Nuclei with CVE-2025-1562 template. π¦ **Verify**: Check plugin version in WordPress admin (if accessible) or HTTP headers.
Q8Is it fixed officially? (Patch/Mitigation)
π‘οΈ **Fixed?**: **YES**. π **Patch Date**: June 18, 2025. π **Update**: Upgrade to version **> 3.5.3**. π **Ref**: WordPress Trac changeset 3305437 addresses the API loader and admin class.
Q9What if no patch? (Workaround)
π§ **Workaround**: If unpatched, **disable the plugin** immediately. π« **Block**: Restrict access to `/wp-json/autonami-app/` via WAF. π **Hardening**: Disable REST API for non-authenticated users if possible.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **CRITICAL**. π¨ **Priority**: **P0**. β‘ **Reason**: Unauthenticated RCE potential via plugin install. π **Action**: Patch immediately or disable plugin to prevent total site takeover.