CVE-2024-6846 Scanner

SmartSearchWP is a popular WordPress plugin used to enhance search capabilities on websites. It is typically deployed by website administrators to improve search performance and user experience. This plugin integrates seamlessly with WordPress websites and offers advanced search algorithms. SmartSearchWP is favored by small businesses and large enterprises alike. The software is used across various industries, from e-commerce to content-heavy websites, to make search operations more efficient.

The Unauthenticated Log Purge vulnerability allows unauthorized users to purge error and chat logs on WordPress sites running the SmartSearchWP plugin. This happens due to improper access control on certain REST API endpoints. As a result, an attacker could exploit this to disrupt log records, potentially affecting debugging and forensic operations. It is critical for website owners using vulnerable versions to address this issue.

The vulnerability exists within the SmartSearchWP plugin's REST API, specifically on the /wdgpt/v1/purge-error-logs endpoint. The plugin does not correctly enforce authentication checks, allowing unauthorized users to send requests to purge logs. An attacker can exploit this by sending a simple POST request with JSON data specifying the logs to purge. The vulnerable parameter, "months":"1", can be manipulated to erase error and chat logs, which might have critical data for site administrators. This could interfere with log retention and error tracking on the site.

If this vulnerability is exploited, malicious actors can erase vital error and chat logs from the WordPress site. This could disrupt the ability of administrators to track issues or anomalies in real-time, compromising the integrity of site monitoring. Additionally, the erasure of logs could make it difficult to identify security breaches or performance issues, increasing the site's vulnerability to undetected threats.

By using the S4E platform, you can protect your digital assets by identifying vulnerabilities like the Unauthenticated Log Purge in SmartSearchWP. Our platform continuously monitors your systems, providing detailed reports and actionable remediation steps. With S4E, you can ensure your website remains secure and compliant with the latest cybersecurity standards. Sign up today to leverage cutting-edge scanning tools, gain visibility into your security posture, and prevent unauthorized access to your systems.

References:

• https://wpscan.com/vulnerability/d48fdab3-669c-4870-a2f9-6c39a7c25fd8/
• https://nvd.nist.gov/vuln/detail/CVE-2024-6846