Platform
wordpress
Component
wp-timelines
Fixed in
3.6.8
CVE-2024-47324 describes a Path Traversal vulnerability within the WP Timeline – Vertical and Horizontal timeline plugin for WordPress. This flaw allows an attacker to include arbitrary files on the server, potentially leading to sensitive data exposure or remote code execution. The vulnerability impacts versions of the plugin up to and including 3.6.7, with a fix released in version 3.6.8.
The core impact of this vulnerability lies in its ability to enable PHP Local File Inclusion (LFI). An attacker can leverage this to read sensitive files from the server's filesystem, such as configuration files containing database credentials or application source code. More critically, if the attacker can craft a malicious PHP file and include it, they could achieve remote code execution (RCE), effectively gaining control of the WordPress instance. This could lead to data breaches, website defacement, or complete server compromise. The potential blast radius is significant, as a compromised WordPress site can serve as a launchpad for further attacks against the network.
CVE-2024-47324 was publicly disclosed on 2024-10-05. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation associated with path traversal vulnerabilities makes it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.22% (44% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the WP Timeline – Vertical and Horizontal timeline plugin to version 3.6.8 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file access permissions on the server to limit the attacker's ability to read sensitive files. Web Application Firewalls (WAFs) can be configured with rules to block requests containing path traversal attempts (e.g., ../ sequences). After upgrading, verify the fix by attempting to access a non-existent file via the vulnerable endpoint and confirming that access is denied.
Actualice el plugin WP Timeline a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes acceder a archivos sensibles del servidor. La actualización corrige esta vulnerabilidad y protege su sitio web.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-47324 is a Path Traversal vulnerability in the WP Timeline plugin allowing attackers to include arbitrary files, potentially leading to code execution. It affects versions up to 3.6.7.
You are affected if you are using the WP Timeline plugin version 3.6.7 or earlier. Check your plugin version and upgrade immediately.
Upgrade the WP Timeline plugin to version 3.6.8 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file access.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a likely target. Monitor your systems for suspicious activity.
Refer to the Ex-Themes website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.