Platform
wordpress
Component
stockholm-core
Fixed in
2.4.2
CVE-2024-34554 describes a Path Traversal vulnerability within the Stockholm Core plugin for WordPress. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of Stockholm Core up to and including 2.4.1, and a patch is available in version 2.4.2.
The core impact of this vulnerability lies in the ability to perform Local File Inclusion (LFI). An attacker could leverage this to read sensitive configuration files, source code, or even system files accessible to the webserver user. Successful exploitation could lead to the disclosure of database credentials, API keys, or other confidential information. While direct remote code execution might not be immediately possible, the ability to read arbitrary files significantly expands the attack surface and could be a stepping stone for further exploitation, such as leveraging a vulnerable application to execute malicious code.
CVE-2024-34554 was publicly disclosed on June 4, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are currently available, increasing the risk of exploitation.
Exploit Status
EPSS
0.65% (71% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-34554 is to immediately upgrade the Stockholm Core plugin to version 2.4.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive files to the webserver user to limit the potential damage from a successful exploit. Monitor WordPress access logs for suspicious requests containing path traversal attempts.
Actualice el plugin Stockholm Core a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 2.4.1. Consulte el registro de cambios del plugin para obtener más detalles sobre la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-34554 is a Path Traversal vulnerability in the Stockholm Core WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using Stockholm Core version 2.4.1 or earlier, you are affected by this vulnerability.
Upgrade the Stockholm Core plugin to version 2.4.2 or later to resolve this vulnerability. Consider WAF rules as an interim measure.
While there is no confirmed active exploitation, public proof-of-concept exploits exist, increasing the risk.
Refer to the official Stockholm Core website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.