Plattform
wordpress
Komponente
jet-theme-core
Behoben in
2.2.1
CVE-2024-37497 describes an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability within Crocoblock JetThemeCore. This flaw allows attackers to manipulate files on the server, potentially leading to unauthorized access and data compromise. The vulnerability impacts versions of JetThemeCore prior to 2.2.1. A patch has been released, resolving this issue.
The Arbitrary File Access vulnerability in JetThemeCore allows an attacker to read or write files outside of the intended directory. This can be exploited to disclose sensitive information such as configuration files, database credentials, or even system files. An attacker could potentially overwrite critical files, leading to denial of service or complete system compromise. The impact is particularly severe if the WordPress site hosts sensitive data or is used for critical business operations. Successful exploitation could lead to a complete takeover of the WordPress installation.
CVE-2024-37497 was publicly disclosed on 2024-07-09. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Websites using JetThemeCore versions prior to 2.2.1 are at risk. This includes sites using shared hosting environments where file permissions may be less restrictive, and those relying on older WordPress installations that haven't been regularly updated. Sites with sensitive data stored within the WordPress file system are particularly vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/jet-themecore/*• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/jet-themecore/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.16% (37% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-37497 is to immediately upgrade JetThemeCore to version 2.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
Actualice el plugin JetThemeCore a la versión 2.2.1 o superior. Esta actualización corrige la vulnerabilidad de eliminación arbitraria de archivos. Puede actualizar a través del panel de administración de WordPress o descargando la última versión desde el sitio web del desarrollador.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-37497 is a vulnerability in JetThemeCore versions ≤2.2.1 that allows attackers to manipulate files on the server due to improper path validation, potentially leading to sensitive data exposure.
You are affected if you are using JetThemeCore version 2.2.1 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade JetThemeCore to version 2.2.1 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file access permissions and WAF rules.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly to prevent potential attacks.
Refer to the Crocoblock website and JetThemeCore plugin documentation for the official advisory and detailed information regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.