Plattform
wordpress
Komponente
classic-addons-wpbakery-page-builder-addons
Behoben in
3.0.1
CVE-2024-56286 describes a Path Traversal vulnerability within the Classic Addons – WPBakery Page Builder plugin for WordPress. This vulnerability allows for PHP Local File Inclusion, potentially granting an attacker the ability to read sensitive files or execute arbitrary code on the server. The vulnerability affects versions of the plugin up to and including 3.0. A patch is available in version 3.0.1.
The primary impact of this vulnerability is the potential for Remote Code Execution (RCE). By exploiting the Path Traversal flaw, an attacker can manipulate file paths to include sensitive files, such as configuration files or even core WordPress files. This could allow them to read sensitive data, modify website content, or even gain complete control of the server. The ability to include arbitrary files significantly expands the attack surface, enabling attackers to execute malicious code and compromise the entire WordPress installation. Successful exploitation could lead to data breaches, website defacement, and complete system takeover.
CVE-2024-56286 was publicly disclosed on 2025-01-07. The vulnerability's ease of exploitation, combined with the widespread use of WordPress and the Classic Addons plugin, suggests a medium probability of exploitation. No public proof-of-concept (POC) code has been publicly released as of this writing, but the nature of the vulnerability makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
WordPress websites utilizing the Classic Addons – WPBakery Page Builder plugin, particularly those running versions 3.0 or earlier, are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited control over server configurations and plugin security. Websites with weak file access permissions are also more susceptible to exploitation.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/classic-addons-wpbakery-page-builder/*• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/classic-addons-wpbakery-page-builder/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.22% (44% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-56286 is to immediately upgrade Classic Addons – WPBakery Page Builder to version 3.0.1 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider implementing stricter file permission controls on the server to limit the attacker's ability to access sensitive files. Additionally, implement a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns (e.g., '../'). Regularly review and audit the plugin's configuration to ensure it adheres to security best practices. After upgrading, confirm the vulnerability is resolved by attempting a path traversal attack and verifying that access is denied.
Actualice el plugin Classic Addons – WPBakery Page Builder a una versión posterior a la 3.0. Si no hay una versión disponible, considere deshabilitar el plugin hasta que se publique una versión corregida. Revise las notas de la versión actualizada para confirmar que la vulnerabilidad ha sido solucionada.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-56286 is a Path Traversal vulnerability in Classic Addons – WPBakery Page Builder allowing PHP Local File Inclusion, potentially leading to code execution.
Yes, if you are using Classic Addons – WPBakery Page Builder version 3.0 or earlier, you are affected by this vulnerability.
Upgrade to version 3.0.1 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement temporary restrictions.
Currently, there are no confirmed active exploitation campaigns, but the vulnerability's nature suggests a potential for future exploitation.
Refer to the official Classic Addons website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.