Plattform
wordpress
Komponente
wishlist-member-x
Behoben in
3.26.7
3.26.7
CVE-2024-37108 describes an arbitrary file access vulnerability discovered in the Wishlist Member plugin for WordPress. This vulnerability allows authenticated attackers, even those with Subscriber-level access, to delete arbitrary files on the server. Affected versions include those prior to version 3.26.7. A patch has been released to address this issue.
The primary impact of CVE-2024-37108 is the ability for an authenticated attacker to delete files on a WordPress server. While seemingly limited, this can be easily exploited to achieve remote code execution. Specifically, deleting files like wp-config.php can disrupt WordPress functionality and allow an attacker to inject malicious code. The attacker only requires Subscriber-level access, significantly broadening the potential attack surface. The ease of exploitation and potential for complete server compromise make this a high-severity vulnerability.
CVE-2024-37108 was publicly disclosed on June 20, 2024. While no public proof-of-concept (PoC) has been widely released, the ease of exploitation suggests a high probability of active exploitation. The vulnerability is not currently listed on the CISA KEV catalog, but its high CVSS score warrants close monitoring. Given the plugin's popularity, it's likely to be targeted by malicious actors.
WordPress websites utilizing the Wishlist Member plugin, particularly those running versions prior to 3.26.7, are at risk. Shared hosting environments are especially vulnerable, as they often have limited file permission controls and a higher density of WordPress installations, increasing the potential attack surface. Sites with legacy WordPress configurations or those that haven't implemented robust security practices are also at heightened risk.
• wordpress / composer / npm:
grep -r 'wishlist_member_delete_file' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=active | grep Wishlist Member• wordpress / composer / npm:
wp plugin update wishlist-member --version=3.26.7• generic web:
Check WordPress access logs for requests containing suspicious file paths or deletion attempts targeting sensitive files like wp-config.php.
disclosure
Exploit-Status
EPSS
0.28% (52% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-37108 is to immediately upgrade the Wishlist Member plugin to version 3.26.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to limit the attacker's ability to delete critical files. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests. Regularly review WordPress plugin access permissions to ensure only necessary roles have write access.
Aktualisieren Sie auf Version 3.26.7 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-37108 is a vulnerability in the Wishlist Member WordPress plugin allowing authenticated users to delete arbitrary files, potentially leading to remote code execution if critical files are deleted.
You are affected if your WordPress site uses the Wishlist Member plugin and is running a version prior to 3.26.7. Check your plugin version immediately.
Upgrade the Wishlist Member plugin to version 3.26.7 or later. If immediate upgrade is not possible, implement temporary mitigations like restricting file permissions and using a WAF.
As of June 2024, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the Wishlist Member website and WordPress plugin repository for the latest security advisory and update information regarding CVE-2024-37108.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.