Platform
wordpress
Component
globe-gateway-e4
Fixed in
2.0.1
CVE-2024-52371 describes an Arbitrary File Access vulnerability within the Global Gateway e4 | Payeezy Gateway. This flaw allows an attacker to potentially read arbitrary files on the server by manipulating file paths. The vulnerability impacts versions of the gateway up to and including 2.0, and a fix is available in version 2.0.1.
Successful exploitation of CVE-2024-52371 allows an attacker to read sensitive files from the server's file system. This could include configuration files containing database credentials, API keys, or other sensitive information. Depending on the files accessible, an attacker could gain further access to the system, potentially leading to data breaches, privilege escalation, or complete system compromise. The blast radius extends to any data accessible via the vulnerable file paths, making it critical to address this vulnerability promptly.
CVE-2024-52371 was publicly disclosed on 2024-11-14. No known public proof-of-concept exploits are currently available, but the path traversal nature of the vulnerability makes it likely that one will emerge. The EPSS score is likely to be medium, given the ease of exploitation once a PoC is available and the potential impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.22% (44% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-52371 is to upgrade to version 2.0.1 of the Global Gateway e4 | Payeezy Gateway. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing strict file access controls on the server to limit the attacker's ability to read sensitive files. WAF rules can be configured to block requests containing path traversal sequences (e.g., '../'). Regularly review and audit file permissions to ensure they are appropriately restricted. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.
Update the Global Gateway e4 | Payeezy Gateway plugin to a version later than 2.0. If no version is available, consider disabling or removing the plugin until a patched version is released. See the vendor's website for more information and updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-52371 is a HIGH severity vulnerability allowing attackers to read files on a server through path manipulation. It affects Global Gateway e4 | Payeezy Gateway versions up to 2.0.
If you are using Global Gateway e4 | Payeezy Gateway version 2.0 or earlier, you are potentially affected. Upgrade to 2.0.1 to mitigate the risk.
Upgrade to version 2.0.1 of the Global Gateway e4 | Payeezy Gateway plugin. If upgrading is not immediately possible, implement file access controls and WAF rules.
While no active exploitation is confirmed, the vulnerability's nature suggests it could be exploited once a proof-of-concept is released.
Refer to the vendor's official security advisory for the most up-to-date information and guidance: [DonnellC Security Advisory - Replace with actual link when available]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.