CVE-2024-51788: Arbitrary File Access in Novel Design Store Directory
Platform
wordpress
Component
noveldesign-store-directory
Fixed in
4.3.1
CVE-2024-51788 is an Arbitrary File Access vulnerability affecting The Novel Design Store Directory. Attackers can exploit this flaw to upload malicious files, including web shells, granting them unauthorized control over the web server. This vulnerability impacts versions of The Novel Design Store Directory up to and including 4.3.0. A patch is available in version 4.3.1.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The primary impact of CVE-2024-51788 is the ability for an attacker to upload a web shell to the server. A web shell is a malicious script that allows an attacker to execute arbitrary commands on the server as if they were a legitimate administrator. This can lead to complete server compromise, including data exfiltration, modification, or deletion. The attacker could also use the compromised server as a launchpad for further attacks against other systems on the network, achieving lateral movement. The blast radius extends beyond the affected directory, potentially impacting any data or services hosted on the same server. The unrestricted file upload nature of this vulnerability makes it particularly dangerous, as it bypasses typical security controls designed to prevent malicious file uploads.
Exploitation Context
CVE-2024-51788 was published on November 11, 2024. Its critical CVSS score (10) indicates a high probability of exploitation. While no public Proof-of-Concept (POC) exploits have been widely reported, the ease of exploiting arbitrary file upload vulnerabilities suggests that it could become a target for automated scanning and exploitation. The vulnerability's presence on the NVD (National Vulnerability Database) increases the likelihood of exploitation attempts. EPSS score is likely to be high, reflecting the severity and potential for widespread exploitation.
Threat Intelligence
Exploit Status
EPSS
29.62% (97% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2024-51788 is to immediately upgrade to version 4.3.1 of The Novel Design Store Directory. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file upload types to only explicitly allowed extensions, implementing stricter file size limits, and enabling server-side validation of uploaded files. Web Application Firewalls (WAFs) can be configured with rules to block suspicious file uploads and detect web shell activity. Monitor server logs for unusual file activity or command execution attempts. After upgrading, confirm the vulnerability is resolved by attempting to upload a test file with a known dangerous extension (e.g., .php) and verifying that the upload is rejected.
How to fix
Actualice el plugin The Novel Design Store Directory a la última versión disponible. La vulnerabilidad permite la subida de archivos arbitrarios, lo que podría comprometer la seguridad del sitio web. La actualización corrige esta vulnerabilidad.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2024-51788 — Arbitrary File Access in The Novel Design Store Directory?
It's a critical Arbitrary File Access vulnerability in The Novel Design Store Directory allowing attackers to upload malicious files, potentially gaining full server control.
Am I affected by CVE-2024-51788 in The Novel Design Store Directory?
If you are using The Novel Design Store Directory versions 4.3.0 or earlier, you are vulnerable to this exploit.
How do I fix CVE-2024-51788 in The Novel Design Store Directory?
Upgrade to version 4.3.1 immediately. If upgrading isn't possible, implement temporary workarounds like restricting file types and sizes.
Is CVE-2024-51788 being actively exploited?
While no widespread exploitation is currently reported, the vulnerability's severity and ease of exploitation make it a likely target.
Where can I find the official The Novel Design Store Directory advisory for CVE-2024-51788?
Refer to the National Vulnerability Database (NVD) entry for CVE-2024-51788 and the vendor's security advisory for further details.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.