Platform
wordpress
Component
mailster
Fixed in
4.0.7
CVE-2024-32523 identifies a Path Traversal vulnerability within EverPress Mailster, allowing for PHP Local File Inclusion. This flaw enables attackers to potentially access and include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts Mailster versions up to 4.0.6, and a patch is available in version 4.0.7.
The Path Traversal vulnerability in Mailster allows an attacker to manipulate file paths, bypassing intended security restrictions. By crafting malicious requests, an attacker can include arbitrary files from the server's filesystem. This could lead to the exposure of sensitive configuration files, source code, or even system files. In a worst-case scenario, an attacker could leverage this vulnerability to execute arbitrary PHP code on the server, gaining complete control of the Mailster installation and potentially the entire WordPress site. The impact is amplified if the Mailster plugin has access to sensitive data or interacts with other critical systems.
CVE-2024-32523 was publicly disclosed on May 17, 2024. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. While no public proof-of-concept (PoC) code has been released, the nature of Path Traversal vulnerabilities makes it likely that a PoC will emerge. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
29.03% (97% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-32523 is to immediately upgrade Mailster to version 4.0.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing strict input validation to prevent path manipulation, and using a Web Application Firewall (WAF) to filter out malicious requests. Regularly review Mailster's configuration and ensure that it adheres to security best practices. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via a crafted URL; the server should return a 404 error.
Actualice el plugin Mailster a una versión posterior a la 4.0.6. Esto solucionará la vulnerabilidad de inclusión de archivos locales no autenticada. Puede actualizar el plugin directamente desde el panel de administración de WordPress.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-32523 is a Path Traversal vulnerability in Mailster allowing attackers to include arbitrary files, potentially leading to sensitive data exposure or remote code execution.
Yes, if you are using Mailster version 4.0.6 or earlier, you are affected by this vulnerability.
Upgrade Mailster to version 4.0.7 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file access and using a WAF.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature suggests a PoC may emerge.
Refer to the EverPress website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.