Plattform
wordpress
Komponente
wp-bootscraper
Behoben in
2.1.1
CVE-2024-52449 describes a Path Traversal vulnerability within the Navneil Bootscraper plugin for WordPress. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of Bootscraper up to and including 2.1.0, and a patch is available in version 2.1.1.
The primary impact of this vulnerability is the ability for an attacker to leverage PHP Local File Inclusion (LFI). By manipulating file paths, an attacker can trick the application into including files outside of the intended directory. This could allow them to read sensitive configuration files, source code, or even execute arbitrary PHP code if the server's PHP configuration permits it. Successful exploitation could lead to complete server compromise, data breaches, and denial of service. The blast radius extends to any data accessible through the server's file system.
CVE-2024-52449 was published on 2024-11-20. While no public exploits have been widely reported, the Path Traversal vulnerability is a well-understood attack vector, and public proof-of-concept code could emerge. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation depends on the server configuration and the attacker's ability to craft malicious requests.
WordPress websites utilizing the Navneil Bootscraper plugin, particularly those running older versions (≤2.1.0), are at risk. Shared hosting environments where server file permissions are less tightly controlled are especially vulnerable, as attackers may be able to leverage the vulnerability to access files belonging to other users on the same server.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/bootscraper/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/bootscraper/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.59% (69% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade to Bootscraper version 2.1.1 or later. If upgrading is not immediately feasible, implement temporary workarounds to restrict file access. This includes carefully validating all user-supplied input that is used in file paths. Implement strict file access controls on the server to limit the directories that the web server can access. Consider using a Web Application Firewall (WAF) with rules to block attempts to access files outside of the intended directory. Regularly review and audit file permissions to ensure they are as restrictive as possible.
Actualice el plugin Bootscraper a la última versión disponible. Si no hay una versión más reciente, considere desinstalar el plugin hasta que se publique una versión corregida. Esto evitará la explotación de la vulnerabilidad de inclusión de archivos locales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-52449 is a Path Traversal vulnerability in the Navneil Bootscraper WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using Bootscraper version 2.1.0 or earlier, you are affected by this vulnerability.
Upgrade the Bootscraper plugin to version 2.1.1 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for active scanning and attacks.
Refer to the official Navneil Bootscraper plugin page or WordPress.org plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.