Plattform
wordpress
Komponente
et-core-plugin
Behoben in
5.3.9
CVE-2024-33557 describes a Path Traversal vulnerability within the XStore Core WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of XStore Core up to and including 5.3.8, and a patch is available in version 5.3.9.
The core impact of this vulnerability lies in its ability to facilitate PHP Local File Inclusion (LFI). An attacker could leverage this to read sensitive files from the server's filesystem, such as configuration files containing database credentials or application secrets. More critically, if the attacker can craft a malicious PHP file and include it through the vulnerability, they could achieve remote code execution (RCE), effectively gaining full control over the affected WordPress instance. This could lead to data breaches, website defacement, or the installation of malware.
CVE-2024-33557 was publicly disclosed on June 4, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. While no public proof-of-concept (PoC) code has been released, the nature of Path Traversal vulnerabilities makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for updates.
Websites using the XStore Core WordPress plugin, particularly those running older versions (≤5.3.8), are at risk. Shared hosting environments where plugin updates are managed by the hosting provider are also vulnerable if they haven't applied the patch. Sites with lax file upload permissions are especially susceptible.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/xstore-core/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/xstore-core/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
1.66% (82% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-33557 is to immediately upgrade the XStore Core plugin to version 5.3.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Specifically, limit write access to the plugin's directory and its subdirectories. Web Application Firewalls (WAFs) can be configured with rules to block requests containing suspicious path traversal sequences (e.g., ../). After upgrading, verify the fix by attempting to access files outside the intended directory via the vulnerable endpoint; access should be denied.
Actualice el plugin XStore Core a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 5.3.8. Para actualizar, vaya al panel de administración de WordPress, luego a la sección de plugins y busque XStore Core. Si hay una actualización disponible, instálela inmediatamente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-33557 is a Path Traversal vulnerability affecting the XStore Core WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using XStore Core version 5.3.8 or earlier, you are vulnerable to this Path Traversal flaw.
Upgrade the XStore Core plugin to version 5.3.9 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for rapid exploitation. Monitor your WordPress site closely.
Refer to the official XStore Core website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.