Platform
wordpress
Component
wp-timelines
Fixed in
3.6.8
CVE-2024-47323 describes a Path Traversal vulnerability within the WP Timeline – Vertical and Horizontal timeline plugin for WordPress. This flaw allows attackers to potentially include arbitrary PHP files, leading to code execution and compromise of the WordPress site. The vulnerability affects versions of the plugin up to and including 3.6.7, and a patch has been released in version 3.6.8.
The core impact of this vulnerability lies in its potential for Remote Code Execution (RCE). By exploiting the Path Traversal flaw, an attacker can manipulate the application to include and execute malicious PHP code from locations outside the intended directory. This could allow them to gain control of the WordPress server, steal sensitive data (user credentials, database information, configuration files), modify website content, or install malware. The blast radius extends to any data accessible by the WordPress application, and depending on server configuration, could potentially allow for lateral movement to other systems on the network.
CVE-2024-47323 was publicly disclosed on 2024-10-05. There are currently no known active campaigns targeting this vulnerability, but the availability of a path traversal vulnerability often leads to exploitation attempts. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of exploitation.
Exploit Status
EPSS
0.65% (71% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the WP Timeline plugin to version 3.6.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These include restricting file access permissions within the WordPress directory to prevent unauthorized file inclusions. Implement strict input validation and sanitization to prevent attackers from manipulating file paths. Monitor WordPress access logs and PHP error logs for suspicious file inclusion attempts. Consider using a Web Application Firewall (WAF) with rules to block attempts to access files outside of the intended directories. After upgrading, confirm the fix by attempting a path traversal attack and verifying that the application correctly restricts access.
Actualice el plugin WP Timeline a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes acceder a archivos sensibles del servidor. La actualización corrige esta vulnerabilidad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-47323 is a Path Traversal vulnerability in the WP Timeline plugin for WordPress, allowing attackers to potentially include arbitrary PHP files and execute code.
You are affected if you are using the WP Timeline plugin version 3.6.7 or earlier. Upgrade to version 3.6.8 to mitigate the risk.
The recommended fix is to upgrade the WP Timeline plugin to version 3.6.8. If immediate upgrade is not possible, implement temporary workarounds like restricting file access and monitoring logs.
While there are currently no confirmed active campaigns, the vulnerability's nature makes it likely to be targeted, so prompt mitigation is crucial.
Refer to the Ex-Themes website and WordPress plugin repository for the official advisory and update information regarding CVE-2024-47323.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.