Platform
wordpress
Component
wpoptin
Fixed in
2.0.2
CVE-2024-47645 is a Path Traversal vulnerability affecting the Top Bar – PopUps plugin by WPOptin for WordPress. This flaw allows an attacker to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of the plugin up to and including 2.0.1, with a fix available in version 2.0.2.
The primary impact of this vulnerability is the potential for Local File Inclusion (LFI). An attacker could exploit this flaw to read sensitive files from the server's file system, such as configuration files containing database credentials, application source code, or even system files. Successful exploitation could lead to unauthorized access to data, compromise of the WordPress installation, and potentially even complete server takeover. The attacker would need to craft a malicious URL that manipulates the file path to include files outside the intended directory. This vulnerability shares similarities with other path traversal exploits, where attackers leverage predictable file system structures to gain unauthorized access.
CVE-2024-47645 was publicly disclosed on 2024-10-16. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's severity is rated as HIGH (CVSS 7.5). It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the availability of the vulnerability and its potential impact warrant immediate attention.
Exploit Status
EPSS
0.40% (61% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation is to immediately upgrade the Top Bar – PopUps plugin to version 2.0.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file access permissions on the WordPress server to minimize the potential damage from a successful exploit. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns, such as double dots (..) or absolute paths. Regularly monitor server logs for unusual file access attempts or errors related to file inclusion.
Actualice el plugin WPOptin a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes acceder a archivos sensibles en el servidor. La actualización corrige esta vulnerabilidad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-47645 is a Path Traversal vulnerability in the Top Bar – PopUps plugin for WordPress, allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using Top Bar – PopUps by WPOptin version 2.0.1 or earlier, you are affected by this vulnerability.
Upgrade the Top Bar – PopUps plugin to version 2.0.2 or later to resolve this vulnerability. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
Active exploitation is not currently confirmed, but the vulnerability's potential impact warrants immediate remediation.
Check the WPOptin website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.