Plattform
wordpress
Komponente
wp-cafe
Behoben in
2.2.28
CVE-2024-37513 describes a Path Traversal vulnerability discovered in the WPCafe WordPress plugin. This flaw allows unauthorized access to sensitive files on the web server by exploiting improper input validation. Versions of WPCafe up to and including 2.2.27 are affected, and a patch is available in version 2.2.28.
The Path Traversal vulnerability allows an attacker to bypass intended access restrictions and retrieve files from the server's file system. Successful exploitation could lead to the disclosure of sensitive information such as configuration files, database credentials, or even source code. Depending on the files accessible, an attacker could gain a deeper understanding of the web application's architecture, potentially leading to further exploitation opportunities. This vulnerability is particularly concerning as WordPress plugins often handle user data and critical application logic, making the potential impact significant.
CVE-2024-37513 was publicly disclosed on July 9, 2024. There are currently no known public proof-of-concept exploits available, but the ease of exploitation for Path Traversal vulnerabilities suggests a potential for rapid exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
WordPress websites utilizing the WPCafe plugin, particularly those running older versions (≤2.2.27), are at risk. Shared hosting environments where server file permissions are not tightly controlled are especially vulnerable, as an attacker could potentially leverage this vulnerability to access files belonging to other users on the same server.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/wpcafe/*• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/wpcafe/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list | grep wpcafédisclosure
Exploit-Status
EPSS
1.23% (79% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-37513 is to immediately upgrade the WPCafe plugin to version 2.2.28 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Carefully review file permissions on the server to ensure that sensitive files are not accessible by the web server user. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.
Actualice el plugin WPCafe a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se ha corregido en versiones posteriores a la 2.2.27. Consulte el registro de cambios del plugin para obtener más detalles sobre la corrección.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-37513 is a Path Traversal vulnerability affecting the WPCafe WordPress plugin, allowing attackers to read arbitrary files on the server.
You are affected if you are using WPCafe version 2.2.27 or earlier. Upgrade to version 2.2.28 to resolve the vulnerability.
Upgrade the WPCafe plugin to version 2.2.28 or later. As a temporary workaround, restrict file access permissions and implement WAF rules to block path traversal attempts.
While there is no confirmed active exploitation, public proof-of-concept exploits are emerging, increasing the risk.
Refer to the official WPCafe plugin website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.