Plattform
wordpress
Komponente
filester
Behoben in
1.8.6
1.8.6
CVE-2024-9669 is a Local File Inclusion (LFI) vulnerability affecting the Filester WordPress plugin. This vulnerability allows authenticated attackers with administrator-level access to include and execute arbitrary files on the server. Versions of Filester up to and including 1.8.5 are affected, and a patch is available in version 1.8.6.
An attacker exploiting this vulnerability could achieve remote code execution (RCE) on the WordPress server. By manipulating the 'fm_locale' parameter, an authenticated administrator could include and execute arbitrary files, effectively bypassing access controls. This could lead to the theft of sensitive data, modification of website content, or complete server compromise. The ability to upload images and other seemingly safe file types further exacerbates the risk, as these files can be leveraged for malicious code execution.
This vulnerability is publicly known and documented. While no active exploitation campaigns have been confirmed at the time of writing, the ease of exploitation and the availability of administrator privileges make it a high-priority target. The vulnerability was disclosed on 2024-11-27. No KEV listing is currently available.
WordPress websites utilizing the Filester plugin, particularly those with administrator accounts that have not been secured with strong passwords and multi-factor authentication, are at risk. Shared hosting environments where plugin updates are not managed centrally are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'fm_locale' /var/www/html/wp-content/plugins/filester/• wordpress / composer / npm:
wp plugin list --status=all | grep filester• wordpress / composer / npm:
wp plugin update filester --alldisclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-9669 is to immediately upgrade the Filester plugin to version 1.8.6 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting file upload permissions to prevent attackers from uploading malicious files that can be included. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files based on the 'fmlocale' parameter can provide an additional layer of defense. After upgrading, verify the fix by attempting to access a non-existent file through the 'fmlocale' parameter and confirming that it results in an error, rather than file inclusion.
Aktualisieren Sie auf Version 1.8.6 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-9669 is a vulnerability in the Filester WordPress plugin allowing authenticated admins to include and execute arbitrary files, potentially leading to code execution.
You are affected if you are using Filester version 1.8.5 or earlier. Upgrade to 1.8.6 to resolve the vulnerability.
Upgrade the Filester plugin to version 1.8.6 or later. If immediate upgrade isn't possible, restrict file upload permissions and consider a WAF.
While no confirmed active exploitation campaigns are currently known, the vulnerability's ease of exploitation makes it a potential target.
Refer to the official Filester plugin documentation and WordPress security announcements for the latest information and advisory regarding CVE-2024-9669.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.