Plattform
wordpress
Komponente
post-grid-carousel-ultimate
Behoben in
1.6.11
CVE-2024-13409 describes a Local File Inclusion (LFI) vulnerability affecting the Post Grid, Slider & Carousel Ultimate plugin for WordPress. This vulnerability allows authenticated attackers, specifically those with Contributor-level access or higher, to include and execute arbitrary files on the server. Versions of the plugin up to and including 1.6.10 are affected, and a fix is available in subsequent releases.
The primary impact of CVE-2024-13409 is the potential for arbitrary code execution on a WordPress server. An attacker, possessing only Contributor-level access, can exploit this vulnerability by crafting a malicious request that includes a PHP file containing arbitrary code. This code could then be executed by the web server, granting the attacker control over the affected system. The attacker could steal sensitive data, modify website content, install malware, or even gain complete control of the server. This vulnerability is particularly concerning because it requires only a low level of privilege to exploit, making it accessible to a wider range of attackers.
CVE-2024-13409 has been publicly disclosed. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the ease of exploitation and the potential impact make it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation.
WordPress websites utilizing the Post Grid, Slider & Carousel Ultimate plugin, particularly those with multiple contributors or users with elevated privileges (e.g., Editor, Administrator), are at risk. Shared hosting environments where plugin installations are managed centrally are also particularly vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'post_type_ajax_handler' /var/www/html/wp-content/plugins/post-grid-ultimate/• wordpress / composer / npm:
wp plugin list | grep 'Post Grid'• wordpress / composer / npm:
wp plugin active | grep 'Post Grid'• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/post-grid-ultimate/ | grep -i 'theme='disclosure
Exploit-Status
EPSS
0.36% (58% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-13409 is to upgrade the Post Grid, Slider & Carousel Ultimate plugin to a version newer than 1.6.10, where the vulnerability has been addressed. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing strict input validation on the 'theme' parameter, or using a Web Application Firewall (WAF) to block malicious requests. Monitor web server access logs for suspicious activity related to file inclusion attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint with a benign file inclusion request and verifying that it is blocked or handled safely.
Actualice el plugin Post Grid, Slider & Carousel Ultimate a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) ha sido corregida en versiones posteriores a la 1.6.10. Esto evitará que atacantes autenticados con nivel de contribuidor o superior puedan ejecutar archivos arbitrarios en el servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-13409 is a Local File Inclusion vulnerability in the Post Grid WordPress plugin, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using Post Grid plugin versions 1.6.10 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Post Grid plugin to a version greater than 1.6.10. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it could be targeted soon.
Refer to the Post Grid plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.