Plattform
wordpress
Komponente
stockholm
Behoben in
9.6.1
CVE-2024-34552 describes a Path Traversal vulnerability within the Select-Themes Stockholm WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure. The vulnerability impacts versions of Stockholm up to 9.6, and a patch is available in version 9.6.1.
The core of this vulnerability lies in the improper handling of file paths within Stockholm. An attacker can craft malicious requests that bypass intended restrictions and access files outside the designated directory. Successful exploitation could allow an attacker to read sensitive configuration files, database credentials, or even include and execute arbitrary PHP code. This could lead to complete compromise of the WordPress instance and potentially the underlying server. The ability to include arbitrary code significantly expands the attack surface, enabling attackers to install malware, steal data, or deface the website.
CVE-2024-34552 was publicly disclosed on June 4, 2024. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. The ease of exploitation is relatively high due to the common nature of path traversal vulnerabilities and the availability of tools to automate exploitation attempts.
WordPress websites utilizing the Select-Themes Stockholm plugin, particularly those running versions 9.6 or earlier, are at risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable. Sites with misconfigured file permissions that allow the web server user to access sensitive files are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/select-themes-stockholm/*• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/select-themes-stockholm/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep stockholmdisclosure
Exploit-Status
EPSS
0.65% (71% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-34552 is to immediately upgrade Select-Themes Stockholm to version 9.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Review and harden file access controls to limit the impact of potential exploitation. Monitor web server access logs for suspicious file access attempts, particularly those involving path traversal sequences like '../'.
Actualice el tema Stockholm a la última versión disponible. Si no hay una versión disponible, considere deshabilitar o reemplazar el tema con una alternativa segura. Esté atento a las actualizaciones de seguridad del proveedor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-34552 is a Path Traversal vulnerability in the Select-Themes Stockholm WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
You are affected if you are using Select-Themes Stockholm version 9.6 or earlier. Upgrade to 9.6.1 to resolve the issue.
Upgrade the Select-Themes Stockholm plugin to version 9.6.1 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's nature suggests it may be targeted soon. Prompt patching is recommended.
Refer to the Select-Themes website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.