Plattform
wordpress
Komponente
stockholm-core
Behoben in
2.4.2
CVE-2024-34554 describes a Path Traversal vulnerability within the Stockholm Core WordPress plugin. This flaw allows an attacker to potentially include arbitrary files on the server, leading to code execution and potential compromise of the WordPress installation. The vulnerability affects versions of Stockholm Core up to and including 2.4.1, with a fix available in version 2.4.2.
The core impact of CVE-2024-34554 lies in its ability to enable PHP Local File Inclusion (LFI). An attacker could leverage this vulnerability to read sensitive files from the server's file system, including configuration files, database credentials, or even source code. Successful exploitation could lead to complete server compromise, data exfiltration, and the execution of malicious code. The attacker would need to craft a malicious URL that exploits the lack of proper path validation within the plugin’s file handling routines. This is similar to other LFI vulnerabilities where attackers leverage directory traversal sequences to access unauthorized files.
CVE-2024-34554 was publicly disclosed on June 4, 2024. As of this writing, there is no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the relatively straightforward nature of path traversal vulnerabilities.
WordPress websites utilizing the Stockholm Core plugin, particularly those running versions prior to 2.4.2, are at risk. Shared hosting environments where multiple websites share the same server resources are especially vulnerable, as a successful exploit on one site could potentially impact others. Websites with misconfigured file permissions are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/stockholm-core/*• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/stockholm-core/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.65% (71% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-34554 is to immediately upgrade the Stockholm Core plugin to version 2.4.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the WordPress server. Specifically, limit write access to the plugin's directory and ensure that the web server user does not have excessive privileges. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious path traversal sequences (e.g., ../).
Actualice el plugin Stockholm Core a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 2.4.1. Consulte el registro de cambios del plugin para obtener más detalles sobre la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-34554 is a Path Traversal vulnerability in the Stockholm Core WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using Stockholm Core version 2.4.1 or earlier, you are affected by this vulnerability.
Upgrade the Stockholm Core plugin to version 2.4.2 or later to resolve this vulnerability. Consider WAF rules as an interim measure.
While there is no confirmed active exploitation, public proof-of-concept exploits exist, increasing the risk.
Refer to the official Stockholm Core website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.