Plattform
wordpress
Komponente
advanced-classifieds-and-directory-pro
Behoben in
3.1.4
CVE-2024-37501 describes a Path Traversal vulnerability discovered in PluginsWare Advanced Classifieds & Directory Pro. This vulnerability allows unauthorized access to files outside of the intended directory, potentially leading to information disclosure. Versions of Advanced Classifieds & Directory Pro prior to 3.1.4 are affected. A patch has been released in version 3.1.4.
The Path Traversal vulnerability allows an attacker to manipulate file paths to access files outside of the intended directory. In the context of Advanced Classifieds & Directory Pro, this could allow an attacker to read sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress installation. While no specific real-world exploitation has been publicly reported for this CVE, path traversal vulnerabilities are frequently exploited, and this one's high CVSS score reflects the potential for significant impact.
CVE-2024-37501 was publicly disclosed on July 9, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept exploits are not widely available, but the nature of path traversal vulnerabilities makes it likely that one will emerge.
Websites utilizing PluginsWare Advanced Classifieds & Directory Pro, particularly those running older versions (≤3.1.3) and those with shared hosting environments where file permissions may be less restrictive, are at increased risk. Sites with sensitive data stored on the server are especially vulnerable.
• wordpress / plugin:
wp plugin list | grep Advanced Classifieds• wordpress / plugin: Check for unusual files in the plugin's directory or accessible via web requests.
• generic web: Monitor web server access logs for requests containing ../ or other path traversal sequences.
• generic web: Use a WAF to block requests containing suspicious path traversal patterns.
disclosure
Exploit-Status
EPSS
1.46% (81% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-37501 is to immediately upgrade Advanced Classifieds & Directory Pro to version 3.1.4 or later. If upgrading is not immediately possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., ../). Restrict file permissions on the WordPress installation to minimize the potential damage from a successful exploit. Monitor WordPress access logs for unusual file access attempts. After upgrading, confirm the vulnerability is resolved by attempting to access a file outside the intended directory via a web request; the request should be denied.
Actualice el plugin Advanced Classifieds & Directory Pro a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 3.1.3. Consulte el registro de cambios del plugin para obtener más detalles sobre la corrección.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-37501 is a Path Traversal vulnerability affecting Advanced Classifieds & Directory Pro versions up to 3.1.3, allowing attackers to access arbitrary files on the server.
You are affected if you are using Advanced Classifieds & Directory Pro version 3.1.3 or earlier. Upgrade to 3.1.4 to mitigate the risk.
Upgrade Advanced Classifieds & Directory Pro to version 3.1.4 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules and file permission restrictions.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature suggests potential for rapid exploitation.
Refer to the PluginsWare website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-37501.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.