Plattform
wordpress
Komponente
maxslider
Behoben in
1.2.4
CVE-2024-47351 describes a Path Traversal vulnerability discovered in the MaxSlider WordPress plugin. This flaw allows unauthorized access to sensitive files on the server by manipulating file paths. Versions of MaxSlider prior to 1.2.4 are affected, and a patch has been released to address the issue. Promptly updating the plugin is crucial to mitigate the risk.
The core of this vulnerability lies in the improper handling of file paths within the MaxSlider plugin. An attacker can craft malicious requests containing path traversal sequences (e.g., ../) to bypass intended access controls. This allows them to navigate outside the intended directory and access files they shouldn't be able to see. Successful exploitation could lead to the disclosure of sensitive server-side files, including configuration files containing database credentials, application source code, or even system files. The potential impact extends beyond simple information disclosure; an attacker could potentially leverage access to these files to escalate privileges or compromise the entire WordPress installation.
CVE-2024-47351 was publicly disclosed on 2024-10-16. There is no indication of active exploitation campaigns at this time, but the ease of exploitation and the potential impact make it a high-priority vulnerability. No public proof-of-concept (PoC) code has been released, but the vulnerability type is well-understood, and a PoC is likely to emerge. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the MaxSlider plugin, particularly those running older versions (≤1.2.3), are at risk. Shared hosting environments where users have limited control over server configurations are especially vulnerable, as they may be less able to implement workarounds or monitor for suspicious activity. Sites with sensitive data stored on the same server are also at heightened risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/maxslider/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/maxslider/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep maxslider• wordpress / composer / npm:
wp plugin update maxsliderdisclosure
Exploit-Status
EPSS
0.29% (53% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-47351 is to immediately upgrade the MaxSlider plugin to version 1.2.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These include restricting file access permissions on the server to limit the impact of a potential breach. Web Application Firewall (WAF) rules can be configured to block requests containing suspicious path traversal sequences. Regularly monitor server logs for unusual file access patterns or attempts to access files outside the expected directories. Consider implementing a file integrity monitoring system to detect unauthorized modifications to critical files.
Actualiza el plugin MaxSlider a la última versión disponible. Si no hay una versión más reciente, considera deshabilitar o eliminar el plugin hasta que se publique una actualización que corrija la vulnerabilidad. Verifica que el plugin esté actualizado regularmente para evitar futuras vulnerabilidades.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-47351 is a Path Traversal vulnerability affecting the MaxSlider WordPress plugin, allowing attackers to read arbitrary files on the server.
You are affected if you are using MaxSlider version 1.2.3 or earlier. Upgrade to version 1.2.4 to resolve the vulnerability.
Upgrade the MaxSlider plugin to version 1.2.4 or later. Consider temporary workarounds like WAF rules and file access restrictions if immediate upgrade is not possible.
As of now, there are no known public exploits or active campaigns targeting CVE-2024-47351, but proactive patching is still recommended.
Refer to the CSSIgniter Team's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.