Scan free
HIGHCVE-2024-43232CVSS 8.5

CVE-2024-43232: Path Traversal in WP OnlineSupport Timeline

Platform

wordpress

Component

timeline-and-history-slider

Fixed in

2.3.1

AI Confidence: highNVDEPSS 0.8%Reviewed: May 2026
View on NVD
Save

CVE-2024-43232 describes a Path Traversal vulnerability within the Timeline and History slider component of WP OnlineSupport. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of the plugin up to and including 2.3. A patch has been released in version 2.3.1.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The core impact of this vulnerability lies in its ability to facilitate PHP Local File Inclusion (LFI). An attacker can leverage this Path Traversal flaw to manipulate file paths, tricking the application into including files from outside the intended directory. This could allow them to read sensitive configuration files, source code, or even execute arbitrary PHP code on the server. Successful exploitation could lead to complete compromise of the WordPress site, including data theft, defacement, and the installation of malware. The potential for code execution significantly elevates the risk, allowing attackers to gain persistent access and control over the affected system.

Exploitation Context

CVE-2024-43232 was publicly disclosed on August 19, 2024. While no public proof-of-concept (PoC) code has been widely reported, the Path Traversal nature of the vulnerability makes it relatively straightforward to exploit. The vulnerability is not currently listed on the CISA KEV catalog. Active exploitation is possible given the ease of exploitation and the widespread use of WordPress plugins.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.77% (73% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H8.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componenttimeline-and-history-slider
VendorWP OnlineSupport, Essential Plugin
Affected rangeFixed in
0.0.0 – 2.32.3.1

Package Information

Active installs
5KNiche
Plugin rating
4.4
Requires WordPress
4.0+
Compatible up to
6.9.4
Homepage

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-43232 is to immediately upgrade the WP OnlineSupport Timeline and History slider plugin to version 2.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Implement a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Regularly review and audit the plugin's code for any further vulnerabilities. After upgrading, confirm the fix by attempting a path traversal attack and verifying that it is blocked.

How to fix

Update the Timeline and History slider plugin to the latest available version. The Local File Inclusion vulnerability allows attackers to access sensitive server files. The update fixes this vulnerability.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-43232 — Path Traversal in WP OnlineSupport Timeline?

CVE-2024-43232 is a Path Traversal vulnerability in the WP OnlineSupport Timeline and History slider plugin, allowing attackers to potentially include arbitrary files on the server.

Am I affected by CVE-2024-43232 in WP OnlineSupport Timeline?

You are affected if you are using WP OnlineSupport Timeline and History slider version 2.3 or earlier. Upgrade to 2.3.1 to resolve the issue.

How do I fix CVE-2024-43232 in WP OnlineSupport Timeline?

Upgrade the WP OnlineSupport Timeline and History slider plugin to version 2.3.1 or later. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.

Is CVE-2024-43232 being actively exploited?

While no confirmed active exploitation has been publicly reported, the vulnerability's ease of exploitation suggests it is a potential target for attackers.

Where can I find the official WP OnlineSupport advisory for CVE-2024-43232?

Refer to the WP OnlineSupport website or WordPress plugin repository for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs