Plattform
wordpress
Komponente
upunzipper
Behoben in
1.0.1
CVE-2024-35744 describes an Arbitrary File Access vulnerability affecting the Upunzipper WordPress plugin. This flaw allows attackers to potentially read or modify files on the server by manipulating file paths. Versions of Upunzipper prior to 1.0.1 are vulnerable, and a patch has been released to address this issue.
The Arbitrary File Access vulnerability in Upunzipper allows an attacker to bypass intended access controls and read or even write files on the server. This could lead to the exposure of sensitive data, including configuration files, database credentials, or even application code. Successful exploitation could also allow an attacker to modify critical files, potentially leading to a complete compromise of the WordPress site. The impact is particularly severe if the server is hosting sensitive user data or is part of a larger network, as the attacker could potentially use this vulnerability as a stepping stone for lateral movement.
CVE-2024-35744 was publicly disclosed on June 10, 2024. There is currently no indication of active exploitation in the wild, but the availability of a public proof-of-concept could change this rapidly. The vulnerability is not currently listed on CISA KEV. The ease of exploitation, combined with the widespread use of WordPress, makes this a potentially significant risk.
WordPress websites utilizing the Upunzipper plugin, particularly those running older versions (≤1.0.0), are at risk. Shared hosting environments are especially vulnerable due to the potential for cross-site contamination if one website is compromised.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/upunzipper/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/upunzipper/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.17% (39% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-35744 is to immediately upgrade Upunzipper to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file upload permissions and carefully validate all user-supplied input to prevent malicious file paths from being submitted. Regularly review WordPress plugin permissions and disable any unnecessary plugins.
Actualiza el plugin Upunzipper a una versión posterior a la 1.0.0. Si no hay una versión disponible, considera desinstalar el plugin hasta que se publique una versión corregida. Esto evitará la eliminación arbitraria de archivos en tu servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-35744 is a HIGH severity vulnerability in Upunzipper allowing attackers to read or modify files via path traversal. It affects versions up to 1.0.0.
Yes, if you are using Upunzipper version 1.0.0 or earlier, you are affected by this vulnerability.
Upgrade Upunzipper to version 1.0.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no public exploits are currently known, the vulnerability's nature makes it a likely target for exploitation.
Check the official Upunzipper plugin page and WordPress.org plugin repository for updates and advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.