Platform
wordpress
Component
upunzipper
Fixed in
1.0.1
CVE-2024-35744 describes an Arbitrary File Access vulnerability within the Upunzipper WordPress plugin. This vulnerability allows attackers to potentially read or modify files on the server by manipulating file paths. Versions of Upunzipper prior to 1.0.1 are affected, and a patch has been released to address the issue.
The Arbitrary File Access vulnerability in Upunzipper allows an attacker to bypass intended access controls and read or write files on the server. Successful exploitation could lead to the disclosure of sensitive information, such as configuration files, database credentials, or even source code. An attacker could potentially overwrite critical system files, leading to denial of service or complete system compromise. The impact is particularly severe on shared hosting environments where multiple websites share the same server resources.
CVE-2024-35744 was publicly disclosed on June 10, 2024. While no public exploits are currently known, the path traversal nature of the vulnerability makes it a likely target for automated scanning and exploitation. The vulnerability's simplicity increases the probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.17% (39% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-35744 is to immediately upgrade the Upunzipper plugin to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Carefully review file upload and processing logic within the plugin to identify and harden potential attack vectors. Monitor WordPress logs for suspicious file access attempts.
Actualiza el plugin Upunzipper a una versión posterior a la 1.0.0. Si no hay una versión disponible, considera desinstalar el plugin hasta que se publique una versión corregida. Esto evitará la eliminación arbitraria de archivos en tu servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-35744 is a HIGH severity vulnerability in Upunzipper allowing attackers to read or modify files via path traversal. It affects versions up to 1.0.0.
Yes, if you are using Upunzipper version 1.0.0 or earlier, you are affected by this vulnerability.
Upgrade Upunzipper to version 1.0.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no public exploits are currently known, the vulnerability's nature makes it a likely target for exploitation.
Check the official Upunzipper plugin page and WordPress.org plugin repository for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.