Platform
wordpress
Component
salon-booking-system
Fixed in
9.8.1
CVE-2024-4442 describes an arbitrary file deletion vulnerability affecting the Salon booking system WordPress plugin. This vulnerability allows unauthenticated attackers to delete files on the server, potentially compromising the entire WordPress installation. The vulnerability impacts versions of the plugin up to and including 9.8, and a fix is available in a subsequent release.
The impact of this vulnerability is severe. An attacker can leverage it to delete critical WordPress files, such as wp-config.php, which contains sensitive database credentials. Successful deletion of wp-config.php would allow the attacker to gain complete control over the WordPress site, enabling them to execute arbitrary code, steal data, and deface the website. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of attackers, including those with limited technical skills. This vulnerability shares similarities with other file deletion vulnerabilities where improper path validation leads to unauthorized access and modification of system files.
CVE-2024-4442 was publicly disclosed on May 21, 2024. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. The availability of a public proof-of-concept is likely, increasing the risk of widespread attacks. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
33.70% (97% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Salon booking system plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing temporary workarounds. These may include restricting file upload permissions within the WordPress environment or implementing a Web Application Firewall (WAF) rule to block requests that attempt to delete files. Regularly monitor WordPress logs for suspicious activity, specifically looking for attempts to access or delete files outside of expected directories. After upgrading, verify the fix by attempting to upload and delete a test file through the plugin's interface, ensuring that the file deletion functionality is properly restricted.
Update the Salon booking system plugin to the latest available version. Version 9.8 and earlier are vulnerable. The update will fix the arbitrary file deletion vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-4442 is a critical vulnerability in the Salon booking system WordPress plugin allowing unauthenticated attackers to delete arbitrary files, potentially leading to site takeover.
You are affected if you are using the Salon booking system plugin in WordPress versions 9.8 or earlier. Upgrade immediately to mitigate the risk.
Upgrade the Salon booking system plugin to the latest available version that addresses this vulnerability. If upgrading is not possible, implement temporary workarounds like WAF rules or restricted file permissions.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the WordPress plugin directory and the plugin developer's website for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.