Platform
wordpress
Component
page-builder-add
Fixed in
1.5.3
CVE-2024-43345 is a Path Traversal vulnerability affecting the PluginOps Landing Page Builder. This vulnerability allows an attacker to potentially include arbitrary PHP files, leading to sensitive information disclosure or even remote code execution. The vulnerability impacts versions of Landing Page Builder up to and including 1.5.2.0, with a fix available in version 1.5.3.
The core impact of CVE-2024-43345 stems from the Path Traversal flaw. An attacker can manipulate file paths to access files outside the intended directory, specifically enabling Local File Inclusion (LFI). This means an attacker could potentially read configuration files, source code, or other sensitive data stored on the server. In a worst-case scenario, if the server allows PHP to execute files from arbitrary locations, this could lead to Remote Code Execution (RCE), granting the attacker complete control over the affected WordPress instance. The blast radius extends to any data accessible via the server's file system.
CVE-2024-43345 was publicly disclosed on 2024-08-19. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.5 (HIGH) indicates a significant risk. It is not listed on the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.70% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-43345 is to immediately upgrade the Landing Page Builder plugin to version 1.5.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These could include restricting file access permissions on the server to limit the potential damage from a successful exploit. Web Application Firewall (WAF) rules can be configured to block requests containing suspicious path traversal patterns (e.g., '../'). After upgrading, verify the fix by attempting to access files outside the intended directory via the plugin's interface; access should be denied.
Actualice el plugin Landing Page Builder a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 1.5.2.0. Para actualizar, vaya al panel de administración de WordPress, sección 'Plugins' y busque 'Landing Page Builder' para actualizarlo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-43345 is a Path Traversal vulnerability in the PluginOps Landing Page Builder plugin for WordPress, allowing attackers to potentially include arbitrary PHP files.
Yes, if you are using Landing Page Builder version 1.5.2.0 or earlier, you are affected by this vulnerability.
Upgrade the Landing Page Builder plugin to version 1.5.3 or later to remediate the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of the current date, there are no known public exploits or active campaigns targeting this vulnerability, but the HIGH CVSS score warrants immediate attention.
Refer to the PluginOps website or WordPress plugin repository for the official advisory and update information regarding CVE-2024-43345.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.