{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5294/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-5294"}],"_cs_exploited":false,"_cs_products":["Geeky Bot plugin for WordPress \u003c= 1.2.2"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","rce","missing-authorization","cve-2026-5294","code-execution"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Geeky Bot plugin for WordPress, in versions up to and including 1.2.2, contains a critical missing authorization vulnerability. This flaw stems from a publicly accessible (nopriv) AJAX route that lacks proper access controls. Attackers can leverage this route to control model and function dispatch, ultimately reaching a plugin installer helper function. This function allows the download and extraction of attacker-supplied ZIP files directly into the wp-content/plugins/ directory. By uploading a malicious plugin in a ZIP archive, an unauthenticated attacker can achieve remote code execution on the target WordPress server. This vulnerability poses a significant risk to WordPress sites using the Geeky Bot plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running a vulnerable version of the Geeky Bot plugin (\u0026lt;= 1.2.2).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious ZIP archive containing a PHP file with arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to the vulnerable nopriv AJAX endpoint (e.g., \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e) specifying the model/function to trigger the plugin installation helper.\u003c/li\u003e\n\u003cli\u003eThe request includes a URL pointing to the attacker\u0026rsquo;s malicious ZIP archive.\u003c/li\u003e\n\u003cli\u003eThe WordPress server downloads the ZIP archive from the attacker-controlled URL.\u003c/li\u003e\n\u003cli\u003eThe server extracts the contents of the ZIP archive into the \u003ccode\u003ewp-content/plugins/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded PHP file through a web browser (e.g., \u003ccode\u003e/wp-content/plugins/malicious-plugin/shell.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server executes the attacker\u0026rsquo;s code, granting the attacker arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to gain complete control of the affected WordPress website. This can lead to data breaches, website defacement, malware distribution, and further compromise of the underlying server infrastructure. Given the widespread use of WordPress and the simplicity of the exploit, numerous websites are potentially at risk. The CVSS v3.1 base score of 9.8 indicates the criticality of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately remove the Geeky Bot plugin from all WordPress installations.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with parameters indicative of plugin installation attempts, which can be detected by the Sigma rule \u0026ldquo;Detect Suspicious WordPress Plugin Installation via AJAX\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on the \u003ccode\u003ewp-content/plugins/\u003c/code\u003e directory to detect unauthorized file creation or modification, triggering on events matched by the \u0026ldquo;Detect Unauthorized Plugin Installation in WordPress\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply principle of least privilege to the web server user to limit the impact of potential code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wordpress-geekybot-rce/","summary":"The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to 1.2.2, allowing unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution by exploiting a nopriv AJAX route and uploading malicious ZIP files.","title":"Geeky Bot WordPress Plugin Missing Authorization Vulnerability Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-geekybot-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5294","version":"https://jsonfeed.org/version/1.1"}