Platform
wordpress
Component
boldgrid-backup
Fixed in
1.15.9
CVE-2024-24869 describes an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in BoldGrid Total Upkeep. This flaw allows attackers to potentially access arbitrary files on the server. The vulnerability impacts versions of Total Upkeep up to and including 1.15.8. A patch is available in version 1.15.9.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. In the context of BoldGrid Total Upkeep, this could allow an attacker to read configuration files, database connection strings, or even source code, potentially exposing sensitive information. Successful exploitation could lead to data breaches, privilege escalation, or further compromise of the WordPress environment. While the specific files accessible depend on server configuration and permissions, the potential for significant impact is present.
CVE-2024-24869 was publicly disclosed on 2024-05-17. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (POC) code is not widely available, but the path traversal nature of the vulnerability makes it likely that such code will emerge. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
1.42% (81% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-24869 is to upgrade BoldGrid Total Upkeep to version 1.15.9 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting file access permissions on the server and implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., '../'). Regularly monitor access logs for suspicious activity and consider using a security scanner to identify potential vulnerabilities. After upgrading, confirm the fix by attempting to access files outside the intended directory via the vulnerable endpoint and verifying access is denied.
Actualice el plugin Total Upkeep a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. Para actualizar, vaya al panel de administración de WordPress, sección 'Plugins' y busque 'Total Upkeep' para actualizarlo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-24869 is a path traversal vulnerability in BoldGrid Total Upkeep allowing attackers to potentially access arbitrary files. It has a CVSS score of 7.5 (HIGH) and affects versions up to 1.15.8.
You are affected if you are using BoldGrid Total Upkeep version 1.15.8 or earlier. Upgrade to version 1.15.9 to resolve the vulnerability.
Upgrade BoldGrid Total Upkeep to version 1.15.9 or later. As a temporary workaround, restrict file access permissions and implement WAF rules to block path traversal attempts.
There is currently no confirmed evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the BoldGrid security advisory for detailed information and updates: [https://boldgrid.com/security-advisories/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.