Plattform
wordpress
Komponente
folders
Behoben in
3.0.3
CVE-2024-2024 describes an arbitrary file access vulnerability affecting the Folders Pro plugin for WordPress. This flaw allows authenticated attackers, possessing author access or higher, to upload arbitrary files to the server. Versions of Folders Pro up to and including 3.0.2 are vulnerable. A fix is available in a subsequent version, requiring users to upgrade.
The primary impact of CVE-2024-2024 is the potential for remote code execution (RCE) on WordPress servers. By exploiting this vulnerability, an attacker can upload malicious files, such as web shells or backdoors, which can then be executed by the web server. This could grant the attacker full control over the affected WordPress site, allowing them to steal sensitive data, modify website content, or launch further attacks against other systems on the network. The ability to upload arbitrary files bypasses standard WordPress security measures, making this a particularly dangerous vulnerability.
CVE-2024-2024 was publicly disclosed on June 14, 2024. There are currently no known public exploits, but the ease of exploitation makes it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress websites utilizing the Folders Pro plugin, particularly those with users having author or higher roles, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are especially vulnerable, as a compromise of one site could potentially impact others. Legacy WordPress installations running outdated versions of Folders Pro are also at increased risk.
• wordpress / composer / npm:
grep -r "handle_folders_file_upload" /var/www/html/wp-content/plugins/folders-pro/• wordpress / composer / npm:
wp plugin list --status=all | grep 'Folders Pro'• wordpress / composer / npm:
wp plugin update folders-pro --all• generic web: Check WordPress plugin directory for Folders Pro updates and security advisories.
disclosure
Exploit-Status
EPSS
17.12% (95% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-2024 is to upgrade the Folders Pro plugin to a version that addresses the vulnerability. Check the Folders Pro website or WordPress plugin repository for the latest version. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider restricting file upload permissions on the server to prevent the upload of executable file types. Implement a Web Application Firewall (WAF) rule to block suspicious file uploads. Monitor WordPress file system for unexpected file creations or modifications.
Actualice el plugin Folders Pro a la última versión disponible. La vulnerabilidad permite la subida de archivos arbitrarios, lo que podría llevar a la ejecución remota de código. La actualización corrige la falta de validación de tipos de archivo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-2024 is a HIGH severity vulnerability in Folders Pro WordPress plugin versions ≤3.0.2, allowing authenticated attackers to upload arbitrary files, potentially leading to remote code execution.
If you are using Folders Pro version 3.0.2 or earlier, you are vulnerable. Check your plugin version using wp plugin list and upgrade immediately.
Upgrade Folders Pro to the latest available version. If immediate upgrade is not possible, restrict file upload permissions and implement a WAF rule to block malicious file extensions.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's potential for RCE makes it a high-priority risk.
Refer to the Folders Pro plugin website and WordPress.org plugin page for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.