Plattform
wordpress
Komponente
wp-newsletter-subscription
Behoben in
1.1.1
CVE-2024-44012 describes a Path Traversal vulnerability within the WP Newsletter Subscription plugin. This flaw allows an attacker to include arbitrary files on the server, potentially leading to sensitive data exposure or remote code execution. The vulnerability impacts versions of the plugin up to and including 1.1, with a fix available in version 1.1.1.
The primary impact of this vulnerability is the potential for Local File Inclusion (LFI). An attacker can exploit this by manipulating file paths to access sensitive files on the server, such as configuration files, database credentials, or even core WordPress files. Successful exploitation could lead to complete compromise of the WordPress installation, including data theft, modification, or deletion. The attacker could also potentially execute arbitrary code on the server if they can include a file containing malicious code, such as a PHP script.
This vulnerability was publicly disclosed on 2024-10-05. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog as of this writing. The ease of exploitation is relatively high due to the Path Traversal nature of the vulnerability, but the lack of public exploits suggests limited current interest.
Websites using the WP Newsletter Subscription plugin, particularly those running older versions (≤1.1), are at risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin configurations and security measures. Sites with weak file permissions or inadequate server-level security configurations are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/wp-newsletter-subscription/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/wp-newsletter-subscription/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.30% (53% Perzentil)
CISA SSVC
CVSS-Vektor
The most effective mitigation is to immediately upgrade the WP Newsletter Subscription plugin to version 1.1.1 or later. If upgrading is not immediately possible due to compatibility issues or testing requirements, consider restricting file access permissions on the server to limit the potential impact of a successful exploit. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block attempts to access files outside of the designated directory can provide an additional layer of defense. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via the vulnerable endpoint and verifying that access is denied.
Actualice el plugin WP Newsletter Subscription a la última versión disponible. Si no hay una versión disponible, considere deshabilitar o eliminar el plugin hasta que se publique una versión corregida. Revise las configuraciones del plugin para asegurar que no haya opciones que permitan la inclusión de archivos locales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-44012 is a Path Traversal vulnerability in the WP Newsletter Subscription plugin that allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or code execution.
You are affected if you are using WP Newsletter Subscription version 1.1 or earlier. Upgrade to version 1.1.1 to resolve the vulnerability.
Upgrade the WP Newsletter Subscription plugin to version 1.1.1 or later. As a temporary workaround, restrict access to the plugin directory using your web server configuration.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target for attackers.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.