Plattform
wordpress
Komponente
wp-timelines
Behoben in
3.6.8
CVE-2024-47323 describes a Path Traversal vulnerability within the WP Timeline – Vertical and Horizontal timeline plugin for WordPress. This flaw allows attackers to potentially include arbitrary PHP files, leading to code execution and compromise of the WordPress site. The vulnerability affects versions of the plugin up to and including 3.6.7, and a patch has been released in version 3.6.8.
The core of this vulnerability lies in the improper handling of file paths within the WP Timeline plugin. An attacker can craft malicious requests that manipulate the pathname, bypassing intended restrictions and accessing files outside the designated directory. Successful exploitation could allow an attacker to include sensitive configuration files, source code, or even system binaries, leading to information disclosure, denial of service, or, most critically, remote code execution. This could grant the attacker complete control over the affected WordPress instance, enabling them to modify content, install malware, or compromise user data. The potential impact is significant, especially for sites relying on the plugin for critical timeline functionality.
CVE-2024-47323 was publicly disclosed on 2024-10-05. There are currently no known public exploits or active campaigns targeting this vulnerability. The EPSS score is likely to be medium, given the relatively straightforward nature of path traversal vulnerabilities and the widespread use of WordPress plugins. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Websites using the WP Timeline plugin, particularly those running older, unpatched versions (≤3.6.7), are at significant risk. Shared hosting environments are especially vulnerable, as they often lack granular control over file permissions and security configurations. Sites with weak WordPress security practices, such as default user credentials or outdated plugins, are also more susceptible to exploitation.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/wp-timeline/• wordpress / composer / npm:
wp plugin list --status=inactive | grep timeline• wordpress / composer / npm:
find /var/www/html/wp-content/plugins/wp-timeline/ -name '*.php' -print0 | xargs -0 grep -i 'include($_GET['file']);'disclosure
Exploit-Status
EPSS
0.65% (71% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-47323 is to immediately upgrade the WP Timeline plugin to version 3.6.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement due to the nature of path traversal, careful review of file access patterns and restrictions within the plugin’s code can help identify potential attack vectors. Monitor WordPress access logs for unusual file access attempts, particularly those involving relative paths or directory traversal sequences (e.g., '../').
Actualice el plugin WP Timeline a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes acceder a archivos sensibles del servidor. La actualización corrige esta vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-47323 is a Path Traversal vulnerability in the WP Timeline plugin for WordPress, allowing attackers to potentially include arbitrary PHP files and execute code.
You are affected if you are using the WP Timeline plugin version 3.6.7 or earlier. Upgrade to version 3.6.8 to mitigate the risk.
The recommended fix is to upgrade the WP Timeline plugin to version 3.6.8. If immediate upgrade is not possible, implement temporary workarounds like restricting file access and monitoring logs.
While there are currently no confirmed active campaigns, the vulnerability's nature makes it likely to be targeted, so prompt mitigation is crucial.
Refer to the Ex-Themes website and WordPress plugin repository for the official advisory and update information regarding CVE-2024-47323.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.