Plattform
wordpress
Komponente
digipass
Behoben in
0.3.1
CVE-2024-52378 describes an Arbitrary File Access vulnerability within Labs64 DigiPass, a WordPress plugin. This flaw, stemming from improper path validation, allows attackers to potentially read arbitrary files on the server. Versions of DigiPass prior to 0.3.0 are affected, and a patch has been released in version 0.3.1.
The Arbitrary File Access vulnerability in DigiPass allows an attacker to bypass intended access controls and read files outside of the intended directory. Successful exploitation could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. Depending on the server's configuration and the files accessible, this could lead to complete system compromise. While no direct precedent for this specific vulnerability exists, path traversal vulnerabilities are frequently exploited to gain unauthorized access to critical system resources.
CVE-2024-52378 was publicly disclosed on 2024-11-14. Currently, there are no known public proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The EPSS score is pending evaluation.
WordPress websites utilizing the DigiPass plugin, particularly those running versions prior to 0.3.0, are at risk. Shared hosting environments where multiple websites share the same server resources are especially vulnerable, as a compromise of one site could potentially expose files on other sites.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/digipass/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/digipass/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.22% (44% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-52378 is to immediately upgrade DigiPass to version 0.3.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress server to minimize the potential impact of a successful exploit. Review WordPress plugin security best practices to prevent similar vulnerabilities in the future.
Actualice el plugin DigiPass a una versión posterior a la 0.3.0. Esto solucionará la vulnerabilidad de descarga arbitraria de archivos. Si no hay una versión disponible, considere deshabilitar el plugin hasta que se publique una actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-52378 is a HIGH severity vulnerability in DigiPass WordPress plugin allowing attackers to read arbitrary files due to improper path validation. Versions affected are those prior to 0.3.1.
Yes, if you are using DigiPass version 0.3.0 or earlier, you are vulnerable to this Arbitrary File Access vulnerability.
Upgrade DigiPass to version 0.3.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
While there's no confirmed active exploitation, public proof-of-concept exploits exist, increasing the risk of future attacks.
Refer to the Labs64 website and WordPress plugin repository for the official advisory and update information regarding CVE-2024-52378.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.