vulnerability

WordPress Plugin: gotmls: CVE-2024-22144: Improper Control of Generation of Code ('Code Injection')

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:N/C:C/I:C/A:C)

Published

Mar 12, 2024

Added

May 15, 2025

Modified

Apr 30, 2026

Description

The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.21.96 due to weak nonce generation combined with missing authorization. This makes it possible for unauthenticated attackers to brute force a valid nonce that can be used to add malware rule and execute code on the server.

Solution

gotmls-plugin-cve-2024-22144

References

https://www.cve.org/CVERecord?id=CVE-2024-22144
https://www.wordfence.com/threat-intel/vulnerabilities/id/d7e81331-0b39-4490-8624-38078b3d5420?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-19740
CVE-2024-22144
https://attackerkb.com/topics/CVE-2024-22144
CWE-94
EUVD-EUVD-2024-19740

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report