Platform
wordpress
Component
booking-ultra-pro
Fixed in
1.1.14
CVE-2024-38717 describes a Path Traversal vulnerability within the Booking Ultra Pro Appointments Booking Calendar WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data disclosure or even remote code execution. The vulnerability impacts versions of the plugin up to and including 1.1.13, and a fix is available in version 1.1.14.
The primary impact of this vulnerability is the ability for an attacker to leverage Path Traversal to achieve Local File Inclusion (LFI). By manipulating file paths, an attacker can trick the plugin into including files outside of its intended directory. This could expose sensitive configuration files, source code, or even system files containing credentials. Successful exploitation could lead to unauthorized access to the WordPress environment, data breaches, and potential compromise of the entire server. While direct remote code execution isn't explicitly stated, the ability to include arbitrary files opens the door to further exploitation depending on the server's configuration and the contents of the included files.
CVE-2024-38717 was publicly disclosed on 2024-07-12. Currently, there are no reports of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept exploits are not widely available, but the nature of Path Traversal vulnerabilities makes it likely that such exploits will emerge.
Exploit Status
EPSS
1.23% (79% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation for CVE-2024-38717 is to immediately upgrade the Booking Ultra Pro Appointments plugin to version 1.1.14 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file access permissions on the WordPress server, implementing a Web Application Firewall (WAF) rule to block suspicious path traversal attempts (e.g., patterns containing '../'), and carefully reviewing the plugin's configuration to ensure it adheres to security best practices. After upgrading, confirm the vulnerability is resolved by attempting a path traversal attack and verifying that access is denied.
Update the Booking Ultra Pro plugin to the latest available version. The Local File Inclusion vulnerability allows attackers to access sensitive server files. The update fixes this vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-38717 is a Path Traversal vulnerability in the Booking Ultra Pro Appointments WordPress plugin, allowing attackers to potentially include arbitrary files.
Yes, if you are using Booking Ultra Pro Appointments version 1.1.13 or earlier, you are affected by this vulnerability.
Upgrade the Booking Ultra Pro Appointments plugin to version 1.1.14 or later to resolve this vulnerability.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.