Plattform
wordpress
Komponente
wp-event-solution
Behoben in
4.0.9
CVE-2024-7149 describes a Local File Inclusion (LFI) vulnerability affecting the Eventin plugin for WordPress. This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server. The vulnerability impacts versions of Eventin up to and including 4.0.8. A patch is expected from the vendor.
The impact of CVE-2024-7149 is significant due to the potential for arbitrary code execution. An attacker with Contributor access can leverage this LFI vulnerability to include and execute PHP code, effectively gaining control over parts of the WordPress environment. This could lead to the theft of sensitive data stored within the WordPress database, modification of website content, or even complete compromise of the server. The ability to execute arbitrary code bypasses standard access controls, making it a particularly dangerous vulnerability. Successful exploitation could mirror the impact of a Remote Code Execution (RCE) vulnerability, albeit requiring initial authentication.
CVE-2024-7149 was publicly disclosed on 2024-09-27. No public proof-of-concept (PoC) code has been identified at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation once a PoC is available, and the prevalence of WordPress plugins, this vulnerability presents a moderate risk.
Websites utilizing the Eventin plugin, particularly those with multiple contributors or users with elevated privileges, are at risk. Shared hosting environments where users have limited control over server configurations are also particularly vulnerable, as they may be unable to implement effective mitigation measures beyond plugin updates.
• wordpress / composer / npm:
grep -r 'style=' /var/www/html/wp-content/plugins/eventin/• wordpress / composer / npm:
wp plugin list | grep eventin• wordpress / composer / npm:
find /var/www/html/wp-content/uploads/ -name '*.php' -type fdisclosure
Exploit-Status
EPSS
0.71% (72% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-7149 is to upgrade the Eventin plugin to a version that addresses the vulnerability. The vendor has not released a fixed version in the provided data, so immediate action is required. As a temporary workaround, restrict file upload permissions to prevent attackers from uploading malicious PHP files that could be included. Consider implementing a Web Application Firewall (WAF) with rules to block attempts to include files outside of designated directories. Regularly scan the WordPress installation for unauthorized files and suspicious code. After upgrading (or implementing workarounds), verify the fix by attempting to access a non-existent PHP file through the vulnerable parameters; the server should return a 404 error, not execute the file.
Actualice el plugin Eventin a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes autenticados ejecutar código PHP arbitrario en el servidor. La actualización corrige esta vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-7149 is a Local File Inclusion vulnerability in the Eventin WordPress plugin, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using Eventin plugin versions 4.0.8 or earlier. Check your plugin version and upgrade as soon as a patch is available.
Upgrade the Eventin plugin to the latest version as soon as a patch is released by the vendor. Until then, restrict file upload permissions and implement input validation.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests active exploitation is possible.
Check the Eventin plugin website and WordPress plugin repository for the official advisory and patch release.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.