Scan free
HIGHCVE-2024-54380CVSS 7.5

CVE-2024-54380: Path Traversal in WP Cookies Enabler

Platform

wordpress

Component

wp-cookies-enabler

Fixed in

1.0.2

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2024-54380 describes a Path Traversal vulnerability within the WP Cookies Enabler WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive information disclosure or even remote code execution. The vulnerability impacts versions of WP Cookies Enabler up to and including 1.0.1, and a patch is available in version 1.0.2.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The core of this vulnerability lies in the improper handling of file paths within WP Cookies Enabler. An attacker can craft malicious input that bypasses intended restrictions, allowing them to specify a path outside the intended directory. This leads to a Local File Inclusion (LFI) condition. Successful exploitation could allow an attacker to read sensitive configuration files, source code, or even execute arbitrary PHP code on the server, effectively compromising the entire WordPress installation. The potential impact extends beyond data theft to complete system takeover, depending on the server's configuration and the attacker's skill.

Exploitation Context

CVE-2024-54380 was publicly disclosed on December 16, 2024. While no public proof-of-concept (PoC) code has been widely reported, the Path Traversal vulnerability is a well-understood attack vector, and the availability of the plugin makes it a potential target. The EPSS score is likely to be medium, reflecting the ease of exploitation and the potential impact. Monitor WordPress security forums and vulnerability databases for any signs of active exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.18% (40% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentwp-cookies-enabler
VendorFilippo Bodei
Affected rangeFixed in
0.0.0 – 1.0.11.0.2

Package Information

Active installs
10
Plugin rating
5.0
Requires WordPress
3.0.1+
Compatible up to
4.4.34
Homepage

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-54380 is to immediately upgrade the WP Cookies Enabler plugin to version 1.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the WordPress server. Specifically, ensure that the web server user has minimal privileges and cannot write to directories containing sensitive files. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). After upgrading, verify the fix by attempting to access a non-existent file via the vulnerable endpoint and confirming that access is denied.

How to fix

Actualice el plugin WP Cookies Enabler a la última versión disponible. Si no hay una versión más reciente, considere deshabilitar o eliminar el plugin hasta que se publique una actualización que corrija la vulnerabilidad. Consulte el sitio web del desarrollador para obtener más información y actualizaciones.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-54380 — Path Traversal in WP Cookies Enabler?

CVE-2024-54380 is a Path Traversal vulnerability in WP Cookies Enabler allowing attackers to potentially include arbitrary files, leading to sensitive information disclosure or code execution.

Am I affected by CVE-2024-54380 in WP Cookies Enabler?

Yes, if you are using WP Cookies Enabler version 1.0.1 or earlier, you are affected by this vulnerability.

How do I fix CVE-2024-54380 in WP Cookies Enabler?

Upgrade WP Cookies Enabler to version 1.0.2 or later. As a temporary workaround, restrict file access permissions and implement WAF rules.

Is CVE-2024-54380 being actively exploited?

While no active exploitation has been widely reported, the vulnerability is well-understood and the plugin's popularity makes it a potential target.

Where can I find the official WP Cookies Enabler advisory for CVE-2024-54380?

Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs