Plattform
wordpress
Komponente
vr-calendar-sync
Behoben in
2.4.1
CVE-2024-44013 describes a Path Traversal vulnerability within the VR Calendar WordPress plugin. This vulnerability allows for PHP Local File Inclusion, enabling an attacker to potentially access and execute arbitrary files on the server. The vulnerability impacts versions of VR Calendar up to and including 2.4.0, with a fix released in version 2.4.1.
The primary impact of this vulnerability is the potential for unauthorized access to sensitive files on the web server. An attacker could leverage the Path Traversal flaw to include arbitrary PHP files, leading to information disclosure, code execution, and potentially complete system compromise. Successful exploitation could allow an attacker to read configuration files containing database credentials, source code, or other sensitive data. Depending on the server's configuration and file permissions, the attacker might even be able to execute malicious code, leading to remote code execution (RCE) and full control of the WordPress instance.
CVE-2024-44013 was publicly disclosed on 2024-10-05. While no active exploitation campaigns have been publicly reported, the availability of a Path Traversal vulnerability in a widely used WordPress plugin presents a significant risk. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of exploitation.
Websites utilizing the VR Calendar plugin, particularly those running older versions (≤2.4.0), are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited control over server configurations and plugin security. WordPress sites with weak file permission settings or inadequate input validation are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/vr-calendar/*• wordpress / composer / npm:
wp plugin list --status=active | grep vr-calendar• wordpress / composer / npm:
wp plugin update vr-calendar --alldisclosure
Exploit-Status
EPSS
0.30% (53% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade the VR Calendar plugin to version 2.4.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file access permissions on the server to minimize the potential impact of a successful exploit. Implement a Web Application Firewall (WAF) with rules to block attempts to access files outside of the designated directory. Carefully review the plugin's configuration and ensure that any file upload or inclusion mechanisms are properly validated and sanitized. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via the vulnerable endpoint and verifying that access is denied.
Actualice el plugin VR Calendar a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes acceder a archivos sensibles en el servidor. La actualización corrige esta vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-44013 is a Path Traversal vulnerability in the VR Calendar WordPress plugin that allows attackers to include arbitrary files, potentially leading to code execution.
You are affected if you are using VR Calendar version 2.4.0 or earlier. Upgrade to version 2.4.1 to resolve the vulnerability.
Upgrade the VR Calendar plugin to version 2.4.1 or later. As a temporary workaround, restrict file access permissions and validate user input.
While no active exploitation campaigns have been confirmed, the vulnerability's nature suggests a potential for rapid exploitation.
Refer to the Innate Images LLC website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.