Plattform
wordpress
Komponente
energox
Behoben in
1.2.1
CVE-2026-24970 describes an Arbitrary File Access vulnerability within the Energox WordPress plugin. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions of Energox from 0.0.0 up to and including 1.2 are affected. A fix is available in version 1.3.
An attacker exploiting this vulnerability could gain unauthorized access to sensitive files on the web server hosting the Energox plugin. This could include configuration files containing database credentials, source code with API keys, or other confidential data. Successful exploitation could lead to data breaches, compromise of the entire WordPress installation, and potential lateral movement within the network if the server has access to other resources. The impact is amplified if the server hosts multiple WordPress sites or is part of a larger infrastructure.
CVE-2026-24970 was published on 2026-03-25. As of this date, there are no publicly known proof-of-concept exploits. The EPSS score is pending evaluation. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Websites utilizing the Energox WordPress plugin in versions 0.0.0 through 1.2 are at risk. Shared hosting environments are particularly vulnerable, as they often have limited control over file permissions and server configurations. Administrators who have not regularly updated their WordPress plugins are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/energox/*• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/energox/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-24970 is to immediately upgrade the Energox plugin to version 1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Carefully review file upload and file access logic within the plugin to identify and patch any other potential vulnerabilities. Monitor WordPress logs for suspicious file access attempts.
Update to version 1.3, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24970 is a vulnerability in the Energox WordPress plugin allowing attackers to read files outside of the intended directory through path manipulation. It has a CVSS score of 7.7 (HIGH).
Yes, if you are using Energox versions 0.0.0 through 1.2, you are affected by this vulnerability. Upgrade to version 1.3 or later to mitigate the risk.
The recommended fix is to upgrade the Energox plugin to version 1.3 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
As of now, there are no publicly known active exploitation campaigns targeting CVE-2026-24970, but the vulnerability's severity warrants immediate attention.
Refer to the Energox plugin's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.