Plattform
wordpress
Komponente
wp-timelines
Behoben in
3.6.8
CVE-2024-47324 describes a Path Traversal vulnerability within the WP Timeline – Vertical and Horizontal timeline plugin for WordPress. This flaw allows an attacker to include arbitrary files on the server, potentially leading to sensitive data exposure or remote code execution. The vulnerability impacts versions of the plugin up to and including 3.6.7, with a fix released in version 3.6.8.
The core impact of this vulnerability lies in its ability to facilitate PHP Local File Inclusion (LFI). An attacker could leverage this to read sensitive files from the server's filesystem, such as configuration files containing database credentials or application source code. More critically, if the attacker can manipulate the included file to execute arbitrary PHP code, they could gain complete control over the affected WordPress instance. This could involve modifying website content, installing malware, or even pivoting to other systems on the network. The potential blast radius extends to any data stored within the WordPress database or accessible through the web server.
CVE-2024-47324 was publicly disclosed on 2024-10-05. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the ease of exploitation associated with Path Traversal vulnerabilities makes it a likely target for opportunistic attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature.
Websites using the WP Timeline – Vertical and Horizontal timeline plugin, particularly those running older versions (≤3.6.7), are at risk. Shared hosting environments are especially vulnerable, as they often have limited access controls and a higher density of vulnerable plugins.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/wp-timeline/• wordpress / composer / npm:
wp plugin list --status=inactive | grep timeline• wordpress / composer / npm:
wp plugin update wp-timeline --all• generic web: Check WordPress plugin directory for mentions of the vulnerability and associated IOCs.
disclosure
Exploit-Status
EPSS
0.22% (44% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-47324 is to immediately upgrade the WP Timeline plugin to version 3.6.8 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the server. Specifically, ensure that the WordPress plugin directory and its subdirectories have limited write access. Web Application Firewalls (WAFs) can also be configured to block requests containing suspicious path traversal patterns, such as double dots (..) or absolute paths. Monitor WordPress logs for unusual file access attempts.
Actualice el plugin WP Timeline a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes acceder a archivos sensibles del servidor. La actualización corrige esta vulnerabilidad y protege su sitio web.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-47324 is a Path Traversal vulnerability in the WP Timeline plugin allowing attackers to include arbitrary files, potentially leading to code execution. It affects versions up to 3.6.7.
You are affected if you are using the WP Timeline plugin version 3.6.7 or earlier. Check your plugin version and upgrade immediately.
Upgrade the WP Timeline plugin to version 3.6.8 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file access.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a likely target. Monitor your systems for suspicious activity.
Refer to the Ex-Themes website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.