Platform
wordpress
Component
et-core-plugin
Fixed in
5.3.9
CVE-2024-33557 describes a Path Traversal vulnerability within the XStore Core WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of XStore Core up to and including 5.3.8, and a patch is available in version 5.3.9.
The Path Traversal vulnerability in XStore Core allows an attacker to bypass intended access restrictions and include files from outside the intended directory. This can be exploited by uploading a malicious PHP file and then including it through a crafted URL. Successful exploitation could lead to the disclosure of sensitive configuration files, database credentials, or even the execution of arbitrary code on the server. The potential impact extends beyond the WordPress instance itself, as attackers could leverage compromised server access to move laterally within the network or exfiltrate data.
CVE-2024-33557 was publicly disclosed on June 4, 2024. While no public exploits have been widely reported, the ease of exploitation associated with Path Traversal vulnerabilities suggests a potential for rapid exploitation. Monitor WordPress installations for suspicious file access attempts and unusual PHP file inclusions. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
1.66% (82% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-33557 is to immediately upgrade the XStore Core plugin to version 5.3.9 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file upload permissions and carefully validate all user-supplied input to prevent malicious file uploads. Regularly review WordPress plugin installations and remove any unused or outdated plugins.
Actualice el plugin XStore Core a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 5.3.8. Para actualizar, vaya al panel de administración de WordPress, luego a la sección de plugins y busque XStore Core. Si hay una actualización disponible, instálela inmediatamente.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-33557 is a Path Traversal vulnerability affecting the XStore Core WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using XStore Core version 5.3.8 or earlier, you are vulnerable to this Path Traversal flaw.
Upgrade the XStore Core plugin to version 5.3.9 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no widespread exploitation has been confirmed, the ease of exploitation suggests a potential for rapid exploitation. Monitor your WordPress site closely.
Refer to the official XStore Core website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.