Platform
wordpress
Component
jet-theme-core
Fixed in
2.2.1
CVE-2024-37497 describes an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability within Crocoblock JetThemeCore. This flaw allows attackers to manipulate files on the server, potentially leading to unauthorized access and data compromise. The vulnerability impacts versions of JetThemeCore prior to 2.2.1. A patch has been released, resolving this issue.
The Arbitrary File Access vulnerability in JetThemeCore allows an attacker to read or write files outside of the intended directory. This can be exploited to disclose sensitive information such as configuration files, database credentials, or even system files. An attacker could potentially overwrite critical files, leading to denial of service or complete system compromise. The impact is particularly severe if the WordPress site hosts sensitive data or is used for critical business operations. Successful exploitation could lead to a complete takeover of the WordPress installation.
CVE-2024-37497 was publicly disclosed on 2024-07-09. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-37497 is to immediately upgrade JetThemeCore to version 2.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
Actualice el plugin JetThemeCore a la versión 2.2.1 o superior. Esta actualización corrige la vulnerabilidad de eliminación arbitraria de archivos. Puede actualizar a través del panel de administración de WordPress o descargando la última versión desde el sitio web del desarrollador.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37497 is a vulnerability in JetThemeCore versions ≤2.2.1 that allows attackers to manipulate files on the server due to improper path validation, potentially leading to sensitive data exposure.
You are affected if you are using JetThemeCore version 2.2.1 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade JetThemeCore to version 2.2.1 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file access permissions and WAF rules.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly to prevent potential attacks.
Refer to the Crocoblock website and JetThemeCore plugin documentation for the official advisory and detailed information regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.