Platform
wordpress
Component
swift-performance-lite
Fixed in
2.3.8
CVE-2024-10516 describes a Local PHP File Inclusion (LFI) vulnerability affecting the Swift Performance Lite plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 2.3.7.1. A fix is available in later versions.
The impact of this LFI vulnerability is significant. An attacker can leverage it to execute arbitrary PHP code on the WordPress server. This could involve uploading a malicious PHP file disguised as an image, then including it through the vulnerable 'ajaxify' function. Successful exploitation allows attackers to bypass access controls, steal sensitive data (database credentials, user information, configuration files), and potentially gain full control of the web server. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including defacement, malware installation, and data exfiltration. This vulnerability shares similarities with other LFI exploits where attackers leverage file upload mechanisms to inject malicious code.
CVE-2024-10516 was publicly disclosed on December 6, 2024. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the plugin's popularity suggest a potential for rapid exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
85.40% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10516 is to upgrade the Swift Performance Lite plugin to a version newer than 2.3.7.1, where the vulnerability has been addressed. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file upload permissions to prevent attackers from uploading malicious PHP files. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious file paths or patterns related to the 'ajaxify' function. Review and harden WordPress file permissions to limit the impact of potential code execution. After upgrading, confirm the fix by attempting to trigger the 'ajaxify' function with a known malicious file path; it should be blocked or result in an error.
Actualice el plugin Swift Performance Lite a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. La actualización corregirá la vulnerabilidad de inclusión de archivos PHP.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10516 is a Local PHP File Inclusion vulnerability in the Swift Performance Lite WordPress plugin, allowing attackers to execute arbitrary code if the plugin version is 2.3.7.1 or earlier.
You are affected if you are using the Swift Performance Lite WordPress plugin version 2.3.7.1 or earlier. Check your plugin version immediately.
Upgrade the Swift Performance Lite plugin to a version greater than 2.3.7.1. If immediate upgrade is not possible, implement temporary workarounds like restricting file uploads.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation suggests a potential for rapid exploitation.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.