CRITICAL🇵🇱 Wersja polska

CVE-2024-12583

CVSS 9.9v3.1pub. 2025-01-04upd. 2026-04-15

The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

🤖 AI Analysis
How it works

The vulnerability results from lack of validation and sanitization of input data in the render function handling Twig templates. An attacker can inject malicious code into a Twig template, which will be executed on the server side (Server-Side Template Injection, SSTI). This mechanism allows execution of arbitrary PHP or system code in the context of the web server and reading files accessible to the server process.

Impact

An authenticated attacker with Contributor level access or higher can execute arbitrary code on the server and read any files, which may lead to complete server takeover, data breach, and violation of application integrity.

Mitigation & patch

The Dynamics 365 Integration plugin should be updated to the version published in changeset 3210927 or later, in accordance with vendor references available in the WordPress repository.

Who is affected

Dynamics 365 Integration plugin for WordPress in all versions up to and including 1.3.23.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References