Scan free
HIGHCVE-2024-31300CVSS 8.5

CVE-2024-31300: Path Traversal in Easy Social Share Buttons

Platform

wordpress

Component

easy-social-share-buttons3

Fixed in

9.4.1

AI Confidence: highNVDEPSS 1.3%Reviewed: May 2026
View on NVD
Save

CVE-2024-31300 describes a Path Traversal vulnerability within the Easy Social Share Buttons plugin for WordPress. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of the plugin up to and including 9.4, and a patch is available in version 9.4.1.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The core impact of CVE-2024-31300 lies in its ability to facilitate PHP Local File Inclusion (LFI). An attacker could craft a malicious URL that leverages the path traversal vulnerability to request files outside of the intended directory. This could expose configuration files containing database credentials, API keys, or other sensitive information. In a worst-case scenario, an attacker might be able to include a PHP script they control, leading to remote code execution and complete compromise of the WordPress site. The blast radius extends to any data stored on the server accessible via PHP, including user data, media files, and application code.

Exploitation Context

CVE-2024-31300 was publicly disclosed on May 17, 2024. While no active exploitation campaigns have been confirmed, the availability of a public proof-of-concept is likely to increase the risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, it is considered a high-priority vulnerability to address.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

1.34% (80% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H8.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componenteasy-social-share-buttons3
Vendorappscreo
Affected rangeFixed in
0.0.0 – 9.49.4.1

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-31300 is to immediately upgrade the Easy Social Share Buttons plugin to version 9.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions within the plugin's directory. Web Application Firewalls (WAFs) can be configured to block requests containing path traversal sequences (e.g., ../). Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.

How to fix

Update the Easy Social Share Buttons plugin to the latest available version. The Local File Inclusion vulnerability allows attackers to access sensitive server files. The update fixes this vulnerability and protects your website.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-31300 — Path Traversal in Easy Social Share Buttons?

CVE-2024-31300 is a Path Traversal vulnerability in the Easy Social Share Buttons plugin for WordPress, allowing attackers to potentially include arbitrary files on the server.

Am I affected by CVE-2024-31300 in Easy Social Share Buttons?

Yes, if you are using Easy Social Share Buttons version 9.4 or earlier, you are affected by this vulnerability.

How do I fix CVE-2024-31300 in Easy Social Share Buttons?

Upgrade the Easy Social Share Buttons plugin to version 9.4.1 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.

Is CVE-2024-31300 being actively exploited?

While no active exploitation campaigns have been confirmed, the availability of a public proof-of-concept suggests an increased risk of exploitation.

Where can I find the official Easy Social Share Buttons advisory for CVE-2024-31300?

Refer to the appscreo website and WordPress plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs