Platform
wordpress
Component
listingpro-plugin
Fixed in
2.9.4
CVE-2024-39621 describes a Path Traversal vulnerability within the ListingPro WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of ListingPro up to and including 2.9.3, and a patch is available in version 2.9.4.
The core of this vulnerability lies in the improper handling of file paths within the ListingPro plugin. An attacker can craft malicious requests that manipulate the pathname, bypassing intended restrictions and forcing the application to include files outside of the designated directory. Successful exploitation can lead to the disclosure of sensitive configuration files, source code, or even system files. Depending on the files included, an attacker could potentially execute arbitrary code on the server, gaining complete control over the WordPress installation. This is a critical risk, especially for sites hosting sensitive data or used for business-critical operations.
CVE-2024-39621 was publicly disclosed on August 1, 2024. While no public proof-of-concept (POC) code has been widely released, the Path Traversal vulnerability is a well-understood attack vector, and it is likely that exploit code will emerge. The EPSS score is likely to be medium, reflecting the ease of exploitation and potential impact. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
1.16% (79% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-39621 is to immediately upgrade the ListingPro plugin to version 2.9.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing a Web Application Firewall (WAF) rule to block suspicious requests containing path traversal attempts (e.g., ../), and carefully reviewing the plugin's configuration to ensure no unintended file inclusions are possible. After upgrading, verify the fix by attempting a path traversal attack and confirming that the application properly restricts access.
Actualice el plugin ListingPro a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 2.9.3. Consulte la documentación del plugin para obtener instrucciones sobre cómo actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-39621 is a Path Traversal vulnerability affecting the ListingPro WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
You are affected if you are using ListingPro versions 2.9.3 or earlier. Upgrade to 2.9.4 to resolve the issue.
Upgrade the ListingPro plugin to version 2.9.4 or later. As a temporary workaround, implement WAF rules to block path traversal attempts.
While no active exploitation has been confirmed, the vulnerability is well-understood and exploitation is likely.
Refer to the official ListingPro website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.