Platform
wordpress
Component
event-post
Fixed in
5.9.6
CVE-2024-38735 describes a Path Traversal vulnerability within the N.O.U.S. Event post WordPress plugin. This flaw allows an attacker to potentially include arbitrary files on the server, leading to information disclosure or even remote code execution. Versions of Event post prior to 5.9.6 are affected, and a patch has been released to address the issue.
The primary impact of this vulnerability is the potential for an attacker to read arbitrary files on the server. By manipulating file paths, an attacker could gain access to sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress installation and the underlying server. While the description explicitly mentions PHP Local File Inclusion, the broader impact is the ability to read any file accessible to the webserver user. This is a significant risk, particularly if the server is not properly configured with restrictive file permissions.
CVE-2024-38735 was publicly disclosed on 2024-07-12. There is currently no indication of active exploitation or listing on CISA KEV. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it likely that exploits will emerge. The Path Traversal vulnerability is a well-understood attack vector, and readily exploitable with basic scripting knowledge.
Exploit Status
EPSS
2.21% (84% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade to version 5.9.6 of the N.O.U.S. Event post plugin. If upgrading is not immediately feasible, consider implementing temporary workarounds. These include restricting file access permissions on the server to limit the attacker's ability to read sensitive files. Thoroughly validate all user-supplied input to prevent path manipulation. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious path traversal patterns. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via a crafted URL; the server should return a 404 error.
Actualice el plugin Event post a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se soluciona en versiones posteriores a la 5.9.5. Consulte la documentación del plugin para obtener instrucciones detalladas sobre cómo actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-38735 is a Path Traversal vulnerability in the N.O.U.S. Event post WordPress plugin, allowing attackers to potentially read arbitrary files on the server.
You are affected if you are using N.O.U.S. Event post version 5.9.5 or earlier. Upgrade to version 5.9.6 to resolve the issue.
Upgrade the N.O.U.S. Event post plugin to version 5.9.6. As a temporary workaround, restrict file access permissions and validate user input.
There is currently no confirmed active exploitation, but the vulnerability's nature makes it likely that exploits will emerge.
Refer to the N.O.U.S. website or the WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.