Plattform
wordpress
Komponente
timeline-and-history-slider
Behoben in
2.3.1
CVE-2024-43232 describes a Path Traversal vulnerability within the Timeline and History slider component of WP OnlineSupport. This flaw allows for PHP Local File Inclusion, potentially granting attackers unauthorized access to sensitive files on the server. The vulnerability impacts versions of the plugin up to and including 2.3. A patch has been released in version 2.3.1.
The Path Traversal vulnerability allows an attacker to manipulate file paths, bypassing intended security restrictions. In this case, it enables PHP Local File Inclusion (LFI). An attacker could leverage this to include arbitrary PHP files from the server's filesystem, potentially leading to the disclosure of sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could also allow an attacker to execute arbitrary code on the server if they can include a malicious PHP file. The blast radius extends to any data accessible through the web server's file system.
CVE-2024-43232 was publicly disclosed on 2024-08-19. While no public proof-of-concept (PoC) code has been widely reported, the Path Traversal vulnerability is a well-understood attack vector and PoCs are readily available. The EPSS score is likely to be medium, reflecting the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the WP OnlineSupport Timeline and History slider plugin, particularly those running versions prior to 2.3.1, are at risk. Shared hosting environments where plugin updates are not managed by the site administrator are also particularly vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/timeline-and-history-slider/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/timeline-and-history-slider/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.77% (73% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-43232 is to immediately upgrade the WP OnlineSupport Timeline and History slider plugin to version 2.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path manipulation attempts. Specifically, look for patterns attempting to traverse directories (e.g., '../'). Additionally, restrict file permissions on sensitive files to prevent unauthorized access, even if the vulnerability is exploited. After upgrading, confirm the fix by attempting to access files outside the intended directory through the plugin’s interface; access should be denied.
Actualiza el plugin Timeline and History slider a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes acceder a archivos sensibles del servidor. La actualización corrige esta vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-43232 is a Path Traversal vulnerability in the WP OnlineSupport Timeline and History slider plugin, allowing attackers to potentially include arbitrary files on the server.
You are affected if you are using WP OnlineSupport Timeline and History slider version 2.3 or earlier. Upgrade to 2.3.1 to resolve the issue.
Upgrade the WP OnlineSupport Timeline and History slider plugin to version 2.3.1 or later. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
While no confirmed active exploitation has been publicly reported, the vulnerability's ease of exploitation suggests it is a potential target for attackers.
Refer to the WP OnlineSupport website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.