Platform
wordpress
Component
wp-hide-security-enhancer
Fixed in
2.5.2
CVE-2024-11585 describes an arbitrary file access vulnerability affecting the WP Hide & Security Enhancer plugin for WordPress. This flaw allows unauthenticated attackers to delete arbitrary files on the server, leading to potential site breakage or data loss. The vulnerability impacts versions of the plugin up to and including 2.5.1. A fix is available in a later version of the plugin.
The impact of CVE-2024-11585 is significant due to its ease of exploitation and potential for widespread damage. An attacker can leverage this vulnerability to delete critical WordPress files, effectively taking the website offline. Beyond simple denial of service, the attacker could delete configuration files, database connection details, or even core WordPress files, leading to complete data loss or requiring a full site rebuild. The lack of authentication required for exploitation makes it a particularly concerning risk, as any unauthenticated user can trigger the vulnerability. This is similar to other file access vulnerabilities where attackers can manipulate file paths to gain unauthorized access.
CVE-2024-11585 was publicly disclosed on December 6, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability, but the ease of exploitation suggests it could become a target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature.
Exploit Status
EPSS
2.01% (84% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11585 is to upgrade the WP Hide & Security Enhancer plugin to a version that addresses the vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider restricting file access permissions on the server to limit the potential damage. Implement a Web Application Firewall (WAF) with rules to block requests to the file-process.php endpoint with suspicious parameters. Monitor WordPress logs for unusual file deletion activity. After upgrading, verify the fix by attempting to access the file-process.php endpoint with a crafted request designed to trigger the vulnerability; it should now be blocked or return an error.
Actualice el plugin WP Hide & Security Enhancer a la última versión disponible. La vulnerabilidad que permite la eliminación de contenido de archivos arbitrarios sin autenticación se ha corregido en versiones posteriores a la 2.5.1.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11585 is a vulnerability in the WP Hide & Security Enhancer plugin that allows unauthenticated attackers to delete arbitrary files on a WordPress server.
You are affected if you are using WP Hide & Security Enhancer version 2.5.1 or earlier. Check your plugin version and upgrade immediately.
Upgrade the WP Hide & Security Enhancer plugin to the latest available version. If upgrading is not immediately possible, restrict file access permissions and implement WAF rules.
There is currently no confirmed active exploitation, but the ease of exploitation suggests it could become a target.
Refer to the official WP Hide & Security Enhancer website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.