WP Dummy Content Generator CVE-2024-32599
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in Deepak anand WP Dummy Content Generator wp-dummy-content-generator.This issue affects WP Dummy Content Generator: from n/a through <= 3.2.1.
AnalysisAI
Remote code execution in the WP Dummy Content Generator WordPress plugin (versions up to and including 3.2.1) allows unauthenticated attackers to inject and execute arbitrary code due to improper input handling (CWE-94). With a maximum CVSS score of 10.0 and a scope-changing vector, successful exploitation grants full compromise of the WordPress site and underlying host context; no public exploit identified at time of analysis, while EPSS sits at 0.72% (72nd percentile).
Technical ContextAI
WP Dummy Content Generator by Deepak Anand is a WordPress plugin used by administrators and developers to populate sites with placeholder posts, pages, and users for testing. The flaw is classified as CWE-94 (Improper Control of Generation of Code, 'Code Injection'), meaning the plugin constructs or evaluates code from data that an attacker can influence without adequate validation, allowing injected payloads to be interpreted by the PHP runtime. Because WordPress plugins execute within the same PHP process as the core CMS, successful code injection runs with the privileges of the webserver user and can pivot into the database, file system, and other plugins.
Affected ProductsAI
The affected product is the WP Dummy Content Generator WordPress plugin authored by Deepak Anand, covering all versions from initial release up to and including 3.2.1. No specific CPE string was provided in the input data, and no vendor advisory URL was supplied beyond the Patchstack disclosure attribution; administrators should verify plugin metadata via the WordPress plugins directory entry for wp-dummy-content-generator. Sites running version 3.2.1 or earlier are in scope.
RemediationAI
No vendor-released patch version was identified in the supplied data, so the primary action is to immediately deactivate and remove the WP Dummy Content Generator plugin from production WordPress installations until a fixed release above 3.2.1 is confirmed by the maintainer or via Patchstack's advisory database. As compensating controls, restrict access to /wp-admin and any plugin-registered AJAX or REST endpoints via IP allowlisting at the web server or WAF, which will block unauthenticated network exploitation at the cost of breaking legitimate remote administration; additionally, deploy a WordPress security plugin (e.g., Wordfence, Patchstack) with virtual patching rules for CVE-2024-32599 if available, accepting the trade-off of relying on signature coverage. Because this is a content-generation utility typically used only during development, removing it from production carries minimal functional impact.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today