Platform
wordpress
Component
pluginpass-pro-plugintheme-licensing
Fixed in
0.9.11
CVE-2024-54291 describes an Arbitrary File Access vulnerability within PluginPass, a WordPress plugin. This flaw allows attackers to manipulate web input to access files on the server's file system, potentially leading to sensitive data exposure or even remote code execution if executable files are accessed. The vulnerability impacts versions of PluginPass up to and including 0.9.10, and a fix is available in version 0.9.11.
The Arbitrary File Access vulnerability in PluginPass allows an attacker to read any file accessible by the webserver process. This includes configuration files, source code, and potentially even sensitive data like database credentials or API keys. Successful exploitation could lead to complete compromise of the WordPress site and the underlying server. An attacker could leverage this to gain a deeper understanding of the system, exfiltrate data, or even execute arbitrary code if they can locate and execute a suitable file. The impact is amplified if the server hosts multiple websites or applications, as a compromised PluginPass instance could provide a foothold for attacking other services on the same server.
CVE-2024-54291 was publicly disclosed on 2025-03-28. Currently, there are no known active campaigns targeting this vulnerability, and no public proof-of-concept exploits have been released. The vulnerability is not listed on the CISA KEV catalog at the time of writing. However, the path traversal nature of the vulnerability makes it a potential target for automated scanning and exploitation.
Exploit Status
EPSS
0.24% (48% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-54291 is to immediately upgrade PluginPass to version 0.9.11 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the server. This can be achieved by configuring the web server (e.g., Apache, Nginx) to deny access to sensitive directories. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). After upgrading, verify the fix by attempting to access a restricted file via a web browser; access should be denied.
Update the PluginPass plugin to the latest available version. The vulnerability allows for arbitrary file download and deletion, so it is crucial to update as soon as possible. Refer to the plugin page in the WordPress repository for the latest version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-54291 is a HIGH severity vulnerability in PluginPass affecting versions up to 0.9.10. It allows attackers to read files on the server through path traversal.
You are affected if you are using PluginPass version 0.9.10 or earlier. Check your plugin version and update immediately.
Upgrade PluginPass to version 0.9.11 or later. If immediate upgrade is not possible, restrict file access permissions and implement WAF rules.
Currently, there are no confirmed active exploits, but the vulnerability's nature makes it a potential target.
Refer to the PluginPass project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.