Platform
wordpress
Component
opal-woo-custom-product-variation
Fixed in
1.1.4
CVE-2024-52444 describes an Arbitrary File Access vulnerability within the Opal Woo Custom Product Variation plugin for WordPress. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions of the plugin prior to 1.1.4 are affected, and a patch has been released to address the issue.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access restrictions and read files outside of the intended directory. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to information disclosure, and in some cases, could be a stepping stone for further attacks, such as code execution if the attacker can leverage the exposed files to gain more control over the system. The impact is particularly severe for WordPress sites hosting sensitive data or used in critical business processes.
CVE-2024-52444 was publicly disclosed on 2024-11-20. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The relatively straightforward nature of path traversal vulnerabilities suggests that a proof-of-concept may be developed and released in the near future.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-52444 is to immediately upgrade the Opal Woo Custom Product Variation plugin to version 1.1.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress server to minimize the potential damage from a successful exploit. After upgrading, verify the fix by attempting to access files outside the intended directory using a path traversal payload; access should be denied.
Actualice el plugin Opal Woo Custom Product Variation a la última versión disponible. Si no hay una versión disponible, considere deshabilitar o eliminar el plugin hasta que se publique una actualización que corrija la vulnerabilidad. Consulte el sitio web del proveedor para obtener más información y actualizaciones.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-52444 is a HIGH severity vulnerability allowing attackers to read files outside intended directories in Opal Woo Custom Product Variation versions ≤1.1.3 due to improper path validation.
You are affected if you are using Opal Woo Custom Product Variation version 1.1.3 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Opal Woo Custom Product Variation plugin to version 1.1.4 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official Opal Woo website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.