Plattform
wordpress
Komponente
pluginpass-pro-plugintheme-licensing
Behoben in
0.9.11
CVE-2024-54291 describes an Arbitrary File Access vulnerability within PluginPass, a WordPress plugin. This flaw allows attackers to manipulate web input to access files on the server's file system, potentially leading to sensitive data exposure or even remote code execution if executable files are accessed. The vulnerability impacts versions of PluginPass up to and including 0.9.10, and a fix is available in version 0.9.11.
The core of this vulnerability lies in improper input validation, allowing attackers to leverage path traversal techniques. By crafting malicious requests, an attacker can bypass intended access controls and read arbitrary files on the server's file system. This could include configuration files containing database credentials, sensitive application code, or even user data. Successful exploitation could lead to complete compromise of the WordPress installation and potentially the underlying server. While direct remote code execution isn't immediately apparent, the ability to read and potentially modify configuration files could be a stepping stone to achieving it, particularly if writable files are accessible.
CVE-2024-54291 was publicly disclosed on 2025-03-28. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The potential for exploitation is considered medium due to the relatively simple nature of path traversal attacks and the widespread use of WordPress.
WordPress websites using the PluginPass plugin, particularly those running versions 0.9.10 or earlier, are at risk. Shared hosting environments are especially vulnerable, as they often have limited control over server configurations and file permissions. Websites with legacy PluginPass installations or those that haven't performed regular plugin updates are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/pluginpass/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/pluginpass/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep pluginpass• wordpress / composer / npm:
wp plugin update pluginpassdisclosure
Exploit-Status
EPSS
0.24% (48% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-54291 is to immediately upgrade PluginPass to version 0.9.11 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the server. Specifically, ensure that the WordPress plugin directory and any files accessible through the web server have the most restrictive permissions possible. Web Application Firewalls (WAFs) can also be configured to detect and block requests containing path traversal sequences (e.g., ../). Monitor WordPress logs for suspicious file access attempts.
Actualice el plugin PluginPass a la última versión disponible. La vulnerabilidad permite la descarga y eliminación arbitraria de archivos, por lo que es crucial actualizar lo antes posible. Consulte la página del plugin en el repositorio de WordPress para obtener la versión más reciente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-54291 is a HIGH severity vulnerability in PluginPass affecting versions up to 0.9.10. It allows attackers to read files on the server through path traversal.
You are affected if you are using PluginPass version 0.9.10 or earlier. Check your plugin version and update immediately.
Upgrade PluginPass to version 0.9.11 or later. If immediate upgrade is not possible, restrict file access permissions and implement WAF rules.
Currently, there are no confirmed active exploits, but the vulnerability's nature makes it a potential target.
Refer to the PluginPass project's official website or repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.