Plattform
wordpress
Komponente
boldgrid-backup
Behoben in
1.15.9
CVE-2024-24869 describes an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in BoldGrid Total Upkeep. This flaw allows attackers to potentially access arbitrary files on the server. The vulnerability impacts versions of Total Upkeep up to and including 1.15.8. A patch is available in version 1.15.9.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. In the context of BoldGrid Total Upkeep, this could allow an attacker to read configuration files, database connection strings, or even source code, potentially exposing sensitive information. Successful exploitation could lead to data breaches, privilege escalation, or further compromise of the WordPress environment. While the specific files accessible depend on server configuration and permissions, the potential for significant impact is present.
CVE-2024-24869 was publicly disclosed on 2024-05-17. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (POC) code is not widely available, but the path traversal nature of the vulnerability makes it likely that such code will emerge. The vulnerability has not been added to the CISA KEV catalog as of this writing.
WordPress websites utilizing BoldGrid Total Upkeep, particularly those with older versions (≤1.15.8) and less stringent security configurations, are at risk. Shared hosting environments where users have limited control over server permissions are also particularly vulnerable, as are systems with default or weak file access controls.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/total-upkeep/*• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/total-upkeep/../../../../etc/passwd' # Attempt to access sensitive filesdisclosure
Exploit-Status
EPSS
1.42% (81% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-24869 is to upgrade BoldGrid Total Upkeep to version 1.15.9 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting file access permissions on the server and implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., '../'). Regularly monitor access logs for suspicious activity and consider using a security scanner to identify potential vulnerabilities. After upgrading, confirm the fix by attempting to access files outside the intended directory via the vulnerable endpoint and verifying access is denied.
Actualice el plugin Total Upkeep a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. Para actualizar, vaya al panel de administración de WordPress, sección 'Plugins' y busque 'Total Upkeep' para actualizarlo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-24869 is a path traversal vulnerability in BoldGrid Total Upkeep allowing attackers to potentially access arbitrary files. It has a CVSS score of 7.5 (HIGH) and affects versions up to 1.15.8.
You are affected if you are using BoldGrid Total Upkeep version 1.15.8 or earlier. Upgrade to version 1.15.9 to resolve the vulnerability.
Upgrade BoldGrid Total Upkeep to version 1.15.9 or later. As a temporary workaround, restrict file access permissions and implement WAF rules to block path traversal attempts.
There is currently no confirmed evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the BoldGrid security advisory for detailed information and updates: [https://boldgrid.com/security-advisories/]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.