Platform
wordpress
Component
ultimate-classified-listings
Fixed in
1.4.1
CVE-2024-52448 describes a Path Traversal vulnerability within the Ultimate Classified Listings plugin for WordPress. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive information disclosure or even remote code execution. The vulnerability impacts versions of Ultimate Classified Listings up to and including 1.4, with a fix available in version 1.4.1.
The primary impact of this vulnerability is the ability for an attacker to achieve PHP Local File Inclusion (LFI). By manipulating file paths, an attacker can trick the application into including files outside of the intended directory. This could allow them to access sensitive configuration files, source code, or even system files. Depending on the files included, an attacker might be able to read sensitive data like database credentials, API keys, or internal system information. In a worst-case scenario, if the attacker can include a file containing malicious PHP code, they could achieve remote code execution, gaining complete control over the affected WordPress instance.
This CVE was published on 2024-11-20. Currently, there are no known active campaigns targeting this specific vulnerability. Public proof-of-concept exploits are not widely available, but the path traversal nature of the vulnerability makes it likely that exploits will emerge. The vulnerability is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.22% (44% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade Ultimate Classified Listings to version 1.4.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Additionally, restrict file permissions on sensitive files and directories to prevent unauthorized access. Regularly review WordPress plugin configurations and ensure that only trusted plugins are installed.
Update the Ultimate Classified Listings plugin to the latest available version. If no version is available, consider disabling or removing the plugin until a patched version is released. This will prevent exploitation of the Local File Inclusion vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-52448 is a Path Traversal vulnerability in the Ultimate Classified Listings WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using Ultimate Classified Listings version 1.4 or earlier, you are affected by this vulnerability.
Upgrade to version 1.4.1 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the WebCodingPlace website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.