Platform
wordpress
Component
digipass
Fixed in
0.3.1
CVE-2024-52378 describes an Arbitrary File Access vulnerability within the Labs64 DigiPass WordPress plugin. This flaw, stemming from improper path validation, allows attackers to potentially read sensitive files on the server. Versions of DigiPass prior to 0.3.0 are affected. A patch has been released in version 0.3.1.
The Arbitrary File Access vulnerability in DigiPass allows an attacker to bypass intended security restrictions and access files outside of the intended directory. This can lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could compromise the entire WordPress instance and potentially lead to further attacks, including remote code execution if sensitive files contain executable code or credentials for other systems. The impact is amplified if the server hosts multiple websites or applications, increasing the potential blast radius.
CVE-2024-52378 was publicly disclosed on 2024-11-14. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept exploits are available, increasing the likelihood of future exploitation attempts.
Exploit Status
EPSS
0.22% (44% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-52378 is to immediately upgrade DigiPass to version 0.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Carefully review file permissions on the WordPress server to ensure that sensitive files are not accessible by the web server user. Monitor WordPress access logs for suspicious requests containing path traversal attempts. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.
Update the DigiPass plugin to a version later than 0.3.0. This will resolve the arbitrary file download vulnerability. If no version is available, consider disabling the plugin until an update is released.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-52378 is a HIGH severity vulnerability in DigiPass WordPress plugin allowing attackers to read arbitrary files due to improper path validation. Versions affected are those prior to 0.3.1.
Yes, if you are using DigiPass version 0.3.0 or earlier, you are vulnerable to this Arbitrary File Access vulnerability.
Upgrade DigiPass to version 0.3.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
While there's no confirmed active exploitation, public proof-of-concept exploits exist, increasing the risk of future attacks.
Refer to the Labs64 website and WordPress plugin repository for the official advisory and update information regarding CVE-2024-52378.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.