Plattform
wordpress
Komponente
pandavideo
Behoben in
1.4.1
A critical Local File Inclusion (LFI) vulnerability has been identified in the Panda Video plugin for WordPress, affecting versions up to and including 1.4.0. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to include and execute arbitrary files on the server. Successful exploitation can lead to sensitive data exposure, code execution, and potential compromise of the WordPress environment. The vulnerability was publicly disclosed on July 9, 2024, and users are urged to upgrade to a patched version as soon as possible.
The impact of this LFI vulnerability is significant due to the potential for remote code execution (RCE). An attacker, having legitimate Contributor access, can manipulate the 'selected_button' parameter to include malicious PHP code. This code will then be executed by the webserver, effectively granting the attacker control over the server's processes. This could involve stealing sensitive data stored on the server, modifying website content, installing malware, or even pivoting to other systems on the network. The ability to upload images or other seemingly safe file types that can then be included exacerbates the risk, as it bypasses typical file type restrictions. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to execute arbitrary code.
CVE-2024-5456 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's ease of exploitation and the publicly disclosed nature of the CVE. The EPSS score is likely to be assessed as medium to high probability due to the relatively low skill level required for exploitation and the potential for significant impact. Active campaigns targeting WordPress plugins are common, increasing the likelihood of exploitation.
WordPress websites using the Panda Video plugin, particularly those with multiple users granted Contributor-level access or higher, are at risk. Shared hosting environments where users have limited control over file permissions are also particularly vulnerable, as attackers may be able to upload malicious files more easily.
• wordpress / composer / npm:
grep -r 'selected_button' /var/www/html/wp-content/plugins/panda-video/• wordpress / composer / npm:
wp plugin list --status=inactive | grep panda-video• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/panda-video/ | grep selected_buttondisclosure
Exploit-Status
EPSS
0.58% (69% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-5456 is to immediately upgrade the Panda Video plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file upload permissions for the plugin's directory. Additionally, implement strict input validation on the 'selectedbutton' parameter to prevent malicious input. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious characters or patterns in the 'selectedbutton' parameter. After upgrading, verify the fix by attempting to access a non-existent file through the 'selected_button' parameter; the server should return a 404 error instead of executing the file.
Actualice el plugin Panda Video a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos locales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-5456 is a Local File Inclusion vulnerability affecting the Panda Video WordPress plugin versions up to 1.4.0, allowing authenticated attackers to execute arbitrary PHP code.
You are affected if you are using the Panda Video plugin version 1.4.0 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the Panda Video plugin to the latest available version. Check the vendor's website for the updated version.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants close monitoring.
Check the Panda Video plugin's official website or the WordPress plugin repository for the advisory and updated version.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.