Skip to main content

WP Dummy Content Generator CVE-2024-32599

CRITICAL
Code Injection (CWE-94)
2024-04-18 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
10.0 (CRITICAL)
CVE Published
Apr 18, 2024 - 09:15 nvd
N/A

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in Deepak anand WP Dummy Content Generator wp-dummy-content-generator.This issue affects WP Dummy Content Generator: from n/a through <= 3.2.1.

AnalysisAI

Remote code execution in the WP Dummy Content Generator WordPress plugin (versions up to and including 3.2.1) allows unauthenticated attackers to inject and execute arbitrary code due to improper input handling (CWE-94). With a maximum CVSS score of 10.0 and a scope-changing vector, successful exploitation grants full compromise of the WordPress site and underlying host context; no public exploit identified at time of analysis, while EPSS sits at 0.72% (72nd percentile).

Technical ContextAI

WP Dummy Content Generator by Deepak Anand is a WordPress plugin used by administrators and developers to populate sites with placeholder posts, pages, and users for testing. The flaw is classified as CWE-94 (Improper Control of Generation of Code, 'Code Injection'), meaning the plugin constructs or evaluates code from data that an attacker can influence without adequate validation, allowing injected payloads to be interpreted by the PHP runtime. Because WordPress plugins execute within the same PHP process as the core CMS, successful code injection runs with the privileges of the webserver user and can pivot into the database, file system, and other plugins.

Affected ProductsAI

The affected product is the WP Dummy Content Generator WordPress plugin authored by Deepak Anand, covering all versions from initial release up to and including 3.2.1. No specific CPE string was provided in the input data, and no vendor advisory URL was supplied beyond the Patchstack disclosure attribution; administrators should verify plugin metadata via the WordPress plugins directory entry for wp-dummy-content-generator. Sites running version 3.2.1 or earlier are in scope.

RemediationAI

No vendor-released patch version was identified in the supplied data, so the primary action is to immediately deactivate and remove the WP Dummy Content Generator plugin from production WordPress installations until a fixed release above 3.2.1 is confirmed by the maintainer or via Patchstack's advisory database. As compensating controls, restrict access to /wp-admin and any plugin-registered AJAX or REST endpoints via IP allowlisting at the web server or WAF, which will block unauthenticated network exploitation at the cost of breaking legitimate remote administration; additionally, deploy a WordPress security plugin (e.g., Wordfence, Patchstack) with virtual patching rules for CVE-2024-32599 if available, accepting the trade-off of relying on signature coverage. Because this is a content-generation utility typically used only during development, removing it from production carries minimal functional impact.

Share

CVE-2024-32599 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy