Platform
wordpress
Component
instant-chat-wp
Fixed in
1.0.6
CVE-2024-44018 describes a Path Traversal vulnerability within the Instant Chat Floating Button for WordPress Websites plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of the plugin up to and including 1.0.5, and a patch is available in version 1.0.6.
The primary impact of this vulnerability is the potential for PHP Local File Inclusion (LFI). An attacker could leverage this to read sensitive files from the server's filesystem, such as configuration files containing database credentials or application source code. Successful exploitation could lead to complete compromise of the WordPress installation. While no direct precedent for this specific plugin exists, Path Traversal vulnerabilities are frequently exploited to gain unauthorized access to system resources and escalate privileges. The ability to include arbitrary PHP files opens the door to remote code execution, allowing an attacker to run malicious code on the server.
CVE-2024-44018 was publicly disclosed on 2024-10-05. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released as of this writing, but the nature of the vulnerability makes it likely that PoCs will emerge. The vulnerability has been added to the CISA KEV catalog, indicating a potential risk to federal executive branch agencies.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the Instant Chat Floating Button for WordPress Websites plugin to version 1.0.6 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the WordPress server. Specifically, ensure that the web server user has minimal privileges and cannot write to directories containing sensitive files. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). After upgrading, verify the fix by attempting to access a non-existent file via the vulnerable endpoint and confirming that access is denied.
Actualice el plugin Instant Chat WP a la última versión disponible. Si no hay una versión más reciente, considere deshabilitar o eliminar el plugin hasta que se publique una actualización que corrija la vulnerabilidad. Consulte la página del plugin en WordPress.org para obtener más información y actualizaciones.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-44018 is a Path Traversal vulnerability affecting the Instant Chat Floating Button plugin for WordPress, allowing attackers to potentially include arbitrary files.
You are affected if you are using Instant Chat Floating Button for WordPress Websites version 1.0.5 or earlier.
Upgrade the Instant Chat Floating Button plugin to version 1.0.6 or later. Consider temporary workarounds like restricting file access permissions and implementing WAF rules.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Check the Istmo Plugins website and WordPress plugin repository for updates and advisories related to CVE-2024-44018.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.