Platform
wordpress
Component
wp-cafe
Fixed in
2.2.28
CVE-2024-37513 describes a Path Traversal vulnerability discovered in the WPCafe WordPress plugin. This flaw allows unauthorized access to sensitive files on the web server by exploiting improper input validation. Versions of WPCafe up to and including 2.2.27 are affected, and a patch is available in version 2.2.28.
The Path Traversal vulnerability in WPCafe allows an attacker to bypass intended access restrictions and read files outside of the webroot. This could expose sensitive information such as configuration files, database credentials, or even source code. A successful exploit could lead to complete compromise of the WordPress installation and potentially the entire server. The attacker could leverage this access to escalate privileges, install malware, or steal user data. While this vulnerability doesn't directly lead to remote code execution, the information gained could be used to identify and exploit other vulnerabilities on the system.
CVE-2024-37513 was publicly disclosed on July 9, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Public proof-of-concept exploits are emerging, increasing the risk of exploitation.
Exploit Status
EPSS
1.23% (79% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-37513 is to immediately upgrade the WPCafe plugin to version 2.2.28 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the server. Specifically, ensure that the web server user does not have write access to directories outside the webroot. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). After upgrading, verify the fix by attempting to access a file outside the webroot through the vulnerable endpoint; access should be denied.
Actualice el plugin WPCafe a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se ha corregido en versiones posteriores a la 2.2.27. Consulte el registro de cambios del plugin para obtener más detalles sobre la corrección.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37513 is a Path Traversal vulnerability affecting the WPCafe WordPress plugin, allowing attackers to read arbitrary files on the server.
You are affected if you are using WPCafe version 2.2.27 or earlier. Upgrade to version 2.2.28 to resolve the vulnerability.
Upgrade the WPCafe plugin to version 2.2.28 or later. As a temporary workaround, restrict file access permissions and implement WAF rules to block path traversal attempts.
While there is no confirmed active exploitation, public proof-of-concept exploits are emerging, increasing the risk.
Refer to the official WPCafe plugin website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.