Plattform
wordpress
Komponente
ultimate-classified-listings
Behoben in
1.4.1
CVE-2024-52448 identifies a Path Traversal vulnerability within the Ultimate Classified Listings plugin for WordPress. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data disclosure or even remote code execution. The vulnerability impacts versions of Ultimate Classified Listings up to and including 1.4, with a fix available in version 1.4.1.
The core impact of this vulnerability lies in the ability for an attacker to leverage Path Traversal to achieve Local File Inclusion (LFI). By crafting malicious requests, an attacker can manipulate file paths to access files outside the intended directory. This could include configuration files containing database credentials, source code with sensitive information, or even system files. Successful exploitation could lead to complete compromise of the WordPress instance, allowing the attacker to modify content, steal data, or execute arbitrary code. The potential blast radius extends to any data stored within the WordPress environment, including user data, financial information, and proprietary business data.
CVE-2024-52448 was publicly disclosed on November 20, 2024. There is no indication of this vulnerability being actively exploited in the wild at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the Path Traversal nature of the vulnerability makes it likely that such exploits will emerge.
WordPress websites utilizing the Ultimate Classified Listings plugin, particularly those running versions 1.4 or earlier, are at risk. Shared hosting environments where users have limited control over plugin installations are also particularly vulnerable, as are sites with outdated or unmanaged WordPress installations.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/ultimate-classified-listings/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/ultimate-classified-listings/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.22% (44% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-52448 is to immediately upgrade the Ultimate Classified Listings plugin to version 1.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing a Web Application Firewall (WAF) with rules to block suspicious path traversal attempts (e.g., blocking requests containing '../' sequences), and carefully reviewing the plugin's code for any other potential vulnerabilities. After upgrading, verify the fix by attempting to access files outside the intended directory via a web browser or a tool like curl – access should be denied.
Actualice el plugin Ultimate Classified Listings a la última versión disponible. Si no hay una versión disponible, considere deshabilitar o eliminar el plugin hasta que se publique una versión corregida. Esto evitará la explotación de la vulnerabilidad de inclusión de archivos locales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-52448 is a Path Traversal vulnerability in the Ultimate Classified Listings WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using Ultimate Classified Listings version 1.4 or earlier, you are affected by this vulnerability.
Upgrade to version 1.4.1 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the WebCodingPlace website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.