Platform
wordpress
Component
pdf-rechnungsverwaltung
Fixed in
0.0.2
CVE-2024-49287 describes a Path Traversal vulnerability within the PDF-Rechnungsverwaltung WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data disclosure or even remote code execution. The vulnerability impacts versions of PDF-Rechnungsverwaltung up to and including 0.0.1, and a fix is available in version 0.0.2.
The primary impact of this Path Traversal vulnerability is the ability for an attacker to read arbitrary files on the server. By manipulating the application's input, an attacker can bypass intended security restrictions and access files outside of the intended directory. This could include configuration files containing database credentials, source code with sensitive information, or even log files revealing user activity. Successful exploitation could lead to complete compromise of the WordPress instance and the underlying server. The Local File Inclusion aspect elevates the risk, as it could allow an attacker to execute malicious code within the context of the web server process.
CVE-2024-49287 was publicly disclosed on 2024-10-17. There is no indication of this vulnerability being actively exploited in the wild at this time. No public proof-of-concept exploits have been published. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.33% (56% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2024-49287 is to immediately upgrade PDF-Rechnungsverwaltung to version 0.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file access permissions on the server, implementing input validation to sanitize user-supplied paths, or using a Web Application Firewall (WAF) to block requests containing suspicious path traversal patterns. Monitor WordPress access logs for unusual file access attempts, particularly those involving directory traversal sequences like '../'. After upgrading, confirm the fix by attempting a path traversal attack and verifying that it is blocked.
Update the PDF-Rechnungsverwaltung plugin to a version later than 0.0.1. If no version is available, consider uninstalling the plugin until a patched version is released. See the plugin page on WordPress.org for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-49287 is a Path Traversal vulnerability affecting PDF-Rechnungsverwaltung versions up to 0.0.1, allowing attackers to potentially include arbitrary files on the server.
You are affected if you are using PDF-Rechnungsverwaltung version 0.0.1 or earlier. Upgrade to version 0.0.2 to resolve the vulnerability.
Upgrade PDF-Rechnungsverwaltung to version 0.0.2 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules or file permission restrictions.
There is currently no evidence of CVE-2024-49287 being actively exploited in the wild.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and release notes regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.