Plattform
wordpress
Komponente
epoll-wp-voting
Behoben in
3.1.1
CVE-2024-31240 describes an Arbitrary File Access vulnerability within the WP Poll Maker plugin for WordPress. This flaw allows an attacker to potentially read sensitive files from the server by manipulating file paths. The vulnerability impacts versions of WP Poll Maker up to and including 3.1. A patch has been released in version 3.1.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. By crafting malicious requests, an attacker could potentially retrieve configuration files, database credentials, or other sensitive data stored on the WordPress server. Successful exploitation could lead to data breaches, compromise of the WordPress installation, and potential lateral movement within the network if the retrieved data contains credentials for other systems. The impact is amplified in shared hosting environments where multiple websites reside on the same server, potentially exposing data from other users.
CVE-2024-31240 was publicly disclosed on April 10, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of this writing. The vulnerability's ease of exploitation and potential impact warrant close monitoring.
WordPress websites utilizing the WP Poll Maker plugin, particularly those running versions 3.1 or earlier, are at risk. Shared hosting environments where users have limited control over plugin installations are also particularly vulnerable. Sites with sensitive data stored in accessible locations on the server face the highest risk.
• wordpress / composer / npm:
wp plugin list | grep Poll Maker• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/wp-poll-maker/*• generic web: Check WordPress plugin directory for unauthorized modifications or unexpected files.
disclosure
Exploit-Status
EPSS
0.31% (54% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-31240 is to immediately upgrade the WP Poll Maker plugin to version 3.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds such as restricting file access permissions on the server or using a Web Application Firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint. WAF rules should be configured to block requests containing path traversal sequences (e.g., '../'). After upgrading, verify the fix by attempting to access a file outside the intended directory through the vulnerable endpoint; access should be denied.
Actualice el plugin WP Poll Maker a la última versión disponible. Si no hay una versión disponible, considere deshabilitar o eliminar el plugin hasta que se publique una versión corregida. Consulte el sitio web del proveedor para obtener más información y actualizaciones.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-31240 is a HIGH severity vulnerability in WP Poll Maker allowing attackers to read files outside of intended directories. It affects versions up to 3.1.
Yes, if you are using WP Poll Maker version 3.1 or earlier, you are vulnerable to this Arbitrary File Access issue.
Upgrade WP Poll Maker to version 3.1.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the InfoTheme website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.