Platform
wordpress
Component
wp-cookies-enabler
Fixed in
1.0.2
CVE-2024-54380 describes a Path Traversal vulnerability within the WP Cookies Enabler WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive information disclosure or even remote code execution. The vulnerability impacts versions of WP Cookies Enabler up to and including 1.0.1, and a patch is available in version 1.0.2.
The core of this vulnerability lies in the improper handling of file paths within WP Cookies Enabler. An attacker can craft malicious input that bypasses intended restrictions, allowing them to specify a path outside the intended directory. This leads to a Local File Inclusion (LFI) condition. Successful exploitation could allow an attacker to read sensitive configuration files, source code, or even execute arbitrary PHP code on the server, effectively compromising the entire WordPress installation. The potential impact extends beyond data theft to complete system takeover, depending on the server's configuration and the attacker's skill.
CVE-2024-54380 was publicly disclosed on December 16, 2024. While no public proof-of-concept (PoC) code has been widely reported, the Path Traversal vulnerability is a well-understood attack vector, and the availability of the plugin makes it a potential target. The EPSS score is likely to be medium, reflecting the ease of exploitation and the potential impact. Monitor WordPress security forums and vulnerability databases for any signs of active exploitation.
Exploit Status
EPSS
0.18% (40% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-54380 is to immediately upgrade the WP Cookies Enabler plugin to version 1.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the WordPress server. Specifically, ensure that the web server user has minimal privileges and cannot write to directories containing sensitive files. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). After upgrading, verify the fix by attempting to access a non-existent file via the vulnerable endpoint and confirming that access is denied.
Actualice el plugin WP Cookies Enabler a la última versión disponible. Si no hay una versión más reciente, considere deshabilitar o eliminar el plugin hasta que se publique una actualización que corrija la vulnerabilidad. Consulte el sitio web del desarrollador para obtener más información y actualizaciones.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-54380 is a Path Traversal vulnerability in WP Cookies Enabler allowing attackers to potentially include arbitrary files, leading to sensitive information disclosure or code execution.
Yes, if you are using WP Cookies Enabler version 1.0.1 or earlier, you are affected by this vulnerability.
Upgrade WP Cookies Enabler to version 1.0.2 or later. As a temporary workaround, restrict file access permissions and implement WAF rules.
While no active exploitation has been widely reported, the vulnerability is well-understood and the plugin's popularity makes it a potential target.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.