Plattform
wordpress
Komponente
smsa-shipping-official
Behoben in
2.3.1
2.4
CVE-2024-49249 describes an arbitrary file deletion vulnerability affecting the SMSA Shipping (official) WordPress plugin. This flaw allows authenticated attackers, even those with Subscriber-level access, to delete files on the server. Successful exploitation can lead to remote code execution, particularly if critical files like wp-config.php are targeted. The vulnerability impacts versions of the plugin up to and including 2.3, with a fix available in version 2.4.
The primary impact of CVE-2024-49249 is the ability for an authenticated attacker to delete arbitrary files on the server hosting the WordPress site. While the vulnerability requires authentication (Subscriber level or higher), this is a relatively low barrier to entry for many users. Deletion of wp-config.php is a particularly concerning scenario, as this file contains sensitive database credentials and configuration settings. Loss of this file would effectively disable the WordPress site and potentially expose database information. Further, an attacker could delete other critical files required for the WordPress installation or other plugins, leading to a denial of service or enabling further malicious activity. The ease of file deletion makes this a high-impact vulnerability.
CVE-2024-49249 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's simplicity suggests that they could emerge quickly. The relatively low authentication requirement (Subscriber access) increases the likelihood of exploitation. The vulnerability was publicly disclosed on 2026-01-06.
WordPress websites using the SMSA Shipping plugin, particularly those with Subscriber-level users who have access to file management functionalities, are at risk. Shared hosting environments where users have limited control over server file permissions are also particularly vulnerable.
• wordpress / composer / npm:
wp plugin list | grep smsa-shipping• wordpress / composer / npm:
wp plugin update smsa-shipping --version=2.4• wordpress / composer / npm:
grep -r 'delete_file' /var/www/html/wp-content/plugins/smsa-shipping/*• generic web: Check WordPress plugin directory for mentions of the vulnerability and potential exploit attempts.
disclosure
Exploit-Status
EPSS
0.17% (38% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-49249 is to immediately upgrade the SMSA Shipping plugin to version 2.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to limit the attacker's ability to delete sensitive files. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion attempts. Monitor WordPress logs for unusual file deletion activity. While not a complete solution, restricting user roles to the minimum necessary privileges can reduce the attack surface. After upgrading, confirm the fix by attempting to access and delete a non-critical file through the plugin's interface to verify that file path validation is now enforced.
Aktualisieren Sie auf Version 2.4 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-49249 is a vulnerability in the SMSA Shipping WordPress plugin allowing authenticated users to delete files, potentially leading to remote code execution. It affects versions up to 2.3 and has a CVSS score of 8.1 (HIGH).
You are affected if you are using the SMSA Shipping plugin version 2.3 or earlier. Check your plugin version and upgrade immediately.
Upgrade the SMSA Shipping plugin to version 2.4 or later. If upgrading is not possible, restrict file access permissions and implement WAF rules.
Currently, there are no confirmed reports of active exploitation, but the ease of exploitation makes it a potential target.
Refer to the official SMSA Shipping plugin website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.