Plattform
wordpress
Komponente
event-post
Behoben in
5.9.6
CVE-2024-38735 describes a Path Traversal vulnerability within the N.O.U.S. Event post WordPress plugin. This flaw allows an attacker to potentially include arbitrary files on the server, leading to information disclosure or even remote code execution. Versions of Event post prior to 5.9.6 are affected, and a patch has been released to address the issue.
The Path Traversal vulnerability in N.O.U.S. Event post allows an attacker to manipulate file paths, bypassing intended security restrictions. By crafting malicious requests, an attacker can include arbitrary files from the server's filesystem into the application's execution flow. This can lead to the exposure of sensitive configuration files, source code, or even system binaries. Successful exploitation could result in complete system compromise, data theft, and denial of service. The Local File Inclusion aspect amplifies the risk, as it allows attackers to execute arbitrary PHP code, further expanding the potential impact.
CVE-2024-38735 was publicly disclosed on 2024-07-12. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept exploits are not widely available, but the nature of Path Traversal vulnerabilities makes it likely that such exploits will emerge.
WordPress websites utilizing the N.O.U.S. Event post plugin, particularly those running versions prior to 5.9.6, are at risk. Shared hosting environments are especially vulnerable, as they often have limited control over server file permissions and configurations. Sites with weak security practices or outdated plugins are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/event-post/*• generic web:
curl -I "http://your-wordpress-site.com/wp-content/plugins/event-post/../../../../etc/passwd"• wordpress / composer / npm:
wp plugin list --status=inactive• wordpress / composer / npm:
wp plugin update event-postdisclosure
Exploit-Status
EPSS
2.21% (84% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-38735 is to immediately upgrade the N.O.U.S. Event post plugin to version 5.9.6 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the server. Review and harden the plugin's file upload and processing mechanisms to prevent further path traversal attempts. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious path manipulation attempts (e.g., '../' sequences). After upgrading, verify the fix by attempting to access restricted files via the vulnerable endpoint and confirming that access is denied.
Actualice el plugin Event post a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se soluciona en versiones posteriores a la 5.9.5. Consulte la documentación del plugin para obtener instrucciones detalladas sobre cómo actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-38735 is a Path Traversal vulnerability in the N.O.U.S. Event post WordPress plugin, allowing attackers to potentially read arbitrary files on the server.
You are affected if you are using N.O.U.S. Event post version 5.9.5 or earlier. Upgrade to version 5.9.6 to resolve the issue.
Upgrade the N.O.U.S. Event post plugin to version 5.9.6. As a temporary workaround, restrict file access permissions and validate user input.
There is currently no confirmed active exploitation, but the vulnerability's nature makes it likely that exploits will emerge.
Refer to the N.O.U.S. website or the WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.