CVE-2024-9593: 
WordPress vulnerability analysis and mitigation

The Time Clock plugin and Time Clock Pro plugin for WordPress contain a Remote Code Execution vulnerability (CVE-2024-9593) affecting versions up to and including 1.2.2 (Time Clock) and 1.1.4 (Time Clock Pro). The vulnerability was discovered and reported by István Márton from Wordfence, with public disclosure on October 18, 2024 (Wordfence Intel).

The vulnerability exists in the 'etimeclockwploadfunction_callback' function, which allows unauthenticated attackers to execute code on the server. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L. The issue is classified as CWE-94 (Improper Control of Generation of Code) (NVD Database).

The vulnerability allows unauthenticated attackers to execute arbitrary code on the affected server, potentially leading to complete system compromise. The CVSS scoring indicates that the vulnerability can affect confidentiality, integrity, and availability of the system, though each impact is rated as Low within the context of the scoring system (NVD Database).

Users of the affected plugins should immediately update to versions newer than 1.2.2 for Time Clock and 1.1.4 for Time Clock Pro. The vulnerability has been addressed in subsequent releases (WordPress Plugin).