Platform
wordpress
Component
woo-permalink-manager
Fixed in
2.3.11
CVE-2024-27971 describes a Path Traversal vulnerability within the Premmerce Permalink Manager for WooCommerce plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive information disclosure or even remote code execution. The vulnerability impacts versions of the plugin up to and including 2.3.10, with a fix released in version 2.3.11.
The core impact of CVE-2024-27971 lies in its potential for PHP Local File Inclusion (LFI). An attacker exploiting this vulnerability could craft a malicious URL that manipulates the plugin's file handling logic, causing it to include files outside of the intended directory. This could allow an attacker to read sensitive configuration files, source code, or even execute arbitrary PHP code on the server. The blast radius extends to the entire server if the attacker can successfully execute code, potentially compromising the entire WooCommerce store and its associated data. Successful exploitation could lead to data breaches, website defacement, and complete system takeover.
CVE-2024-27971 was publicly disclosed on 2024-05-17. As of this writing, no public proof-of-concept (PoC) code has been released, but the vulnerability's nature (Path Traversal leading to LFI) makes it relatively easy to exploit. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
48.09% (98% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-27971 is to immediately upgrade the Premmerce Permalink Manager for WooCommerce plugin to version 2.3.11 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Specifically, ensure that the web server user does not have write access to directories outside of the plugin's designated directory. Web Application Firewall (WAF) rules can also be configured to block requests containing suspicious path traversal patterns, such as double dots (..) or absolute paths. After upgrading, verify the fix by attempting to access files outside the intended directory through the plugin's URL parameters; the request should be denied.
Actualice el plugin Premmerce Permalink Manager for WooCommerce a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes acceder a archivos sensibles en el servidor. La actualización corrige esta vulnerabilidad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-27971 is a Path Traversal vulnerability in Premmerce Permalink Manager for WooCommerce allowing attackers to potentially include arbitrary files, leading to sensitive information disclosure or code execution.
Yes, if you are using Premmerce Permalink Manager for WooCommerce versions 2.3.10 or earlier, you are affected by this vulnerability.
Upgrade the Premmerce Permalink Manager for WooCommerce plugin to version 2.3.11 or later. If immediate upgrade is not possible, restrict file access permissions and consider WAF rules.
While no public exploits are currently known, the vulnerability's nature makes it likely to be targeted, so prompt mitigation is crucial.
Refer to the Premmerce website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.