Platform
wordpress
Component
stockholm
Fixed in
9.6.1
CVE-2024-34551 describes a Path Traversal vulnerability within the Select-Themes Stockholm WordPress plugin. This flaw enables an attacker to leverage improper pathname limitations to achieve Local File Inclusion (LFI), potentially granting them unauthorized access to sensitive files and executing arbitrary code. The vulnerability impacts versions of Stockholm up to and including 9.6, with a fix available in version 9.6.1.
The core impact of this vulnerability lies in its ability to facilitate Local File Inclusion. An attacker can craft malicious requests to include arbitrary files from the server's filesystem, bypassing intended access controls. This could lead to the exposure of sensitive configuration files, source code, or even system binaries. Successful exploitation could allow an attacker to execute arbitrary PHP code, effectively gaining complete control over the affected WordPress instance. The potential for remote code execution makes this a high-severity risk, particularly in environments where Stockholm is used to manage critical themes or functionalities.
CVE-2024-34551 was publicly disclosed on 2024-06-04. While no active exploitation campaigns have been publicly reported as of this writing, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.65% (71% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-34551 is to immediately upgrade the Select-Themes Stockholm plugin to version 9.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Regularly review and audit the plugin's configuration to ensure adherence to security best practices. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.
Update the Stockholm theme to the latest available version. If a newer version is not available, consider disabling or replacing the theme with a secure alternative. Consult the vendor's website for more information and updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-34551 is a critical Path Traversal vulnerability in the Select-Themes Stockholm WordPress plugin, allowing attackers to potentially include arbitrary files.
You are affected if you are using Select-Themes Stockholm version 9.6 or earlier. Upgrade to 9.6.1 to mitigate the risk.
Upgrade the Select-Themes Stockholm plugin to version 9.6.1 or later. Consider temporary WAF rules if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's severity suggests a high probability of exploitation.
Refer to the Select-Themes website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.