Plattform
wordpress
Komponente
booking-ultra-pro
Behoben in
1.1.14
CVE-2024-38717 describes a Path Traversal vulnerability within the Booking Ultra Pro Appointments Booking Calendar WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data disclosure or even remote code execution. The vulnerability impacts versions of the plugin up to and including 1.1.13, and a fix is available in version 1.1.14.
The core impact of CVE-2024-38717 lies in its ability to facilitate Local File Inclusion (LFI). An attacker could leverage this vulnerability to read sensitive files from the server's file system, such as configuration files containing database credentials, application source code, or other confidential data. Successful exploitation could lead to unauthorized access to the WordPress installation, data breaches, and potential compromise of the entire web server. While direct remote code execution isn't guaranteed, the ability to include arbitrary files opens the door to further exploitation depending on the server's configuration and the files accessible.
CVE-2024-38717 was publicly disclosed on 2024-07-12. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's relatively straightforward nature suggests that it may become a target for opportunistic attackers.
WordPress websites utilizing the Booking Ultra Pro Appointments plugin, particularly those running versions prior to 1.1.14, are at risk. Shared hosting environments where WordPress installations have limited control over file permissions are especially vulnerable. Sites with weak server configurations or inadequate WAF protection are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/booking-ultra-pro-appointments/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/booking-ultra-pro-appointments/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
1.23% (79% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-38717 is to immediately upgrade the Booking Ultra Pro Appointments plugin to version 1.1.14 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing a Web Application Firewall (WAF) with rules to block attempts to access files outside of the intended directory, and carefully reviewing the plugin's code for any other potential vulnerabilities. After upgrading, verify the fix by attempting to access files outside the intended directory via the plugin's interface; access should be denied.
Actualice el plugin Booking Ultra Pro a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes acceder a archivos sensibles del servidor. La actualización corrige esta vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-38717 is a Path Traversal vulnerability in the Booking Ultra Pro Appointments WordPress plugin, allowing attackers to potentially include arbitrary files.
Yes, if you are using Booking Ultra Pro Appointments version 1.1.13 or earlier, you are affected by this vulnerability.
Upgrade the Booking Ultra Pro Appointments plugin to version 1.1.14 or later to resolve this vulnerability.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.