Platform
wordpress
Component
pandavideo
Fixed in
1.4.1
CVE-2024-5456 describes a Local File Inclusion (LFI) vulnerability discovered in the Panda Video plugin for WordPress. This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability affects versions of the plugin up to and including 1.4.0. A fix is expected from the vendor.
The impact of this vulnerability is significant. An attacker who can exploit this LFI can execute arbitrary PHP code on the server. This could allow them to bypass access controls, steal sensitive data (such as database credentials or user information), modify website content, or even gain complete control of the WordPress installation. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including defacement, malware injection, and data exfiltration. The requirement for Contributor-level access limits the immediate impact, but many WordPress sites grant this level of access to multiple users, expanding the potential attack surface.
This vulnerability was publicly disclosed on 2024-07-09. No public proof-of-concept (PoC) code has been widely released at the time of writing, but the ease of exploitation given the required access level suggests it could be quickly developed. The vulnerability is not currently listed on CISA KEV. Active exploitation campaigns are not confirmed, but the potential for easy exploitation warrants close monitoring.
Exploit Status
EPSS
0.58% (69% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-5456 is to upgrade the Panda Video plugin to a version that addresses the vulnerability. Check the vendor's website for the latest release. If upgrading is not immediately possible due to compatibility issues or testing requirements, consider restricting file upload permissions to prevent attackers from uploading malicious PHP files. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious characters in the 'selected_button' parameter. Monitor WordPress logs for unusual file inclusion attempts.
Actualice el plugin Panda Video a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos locales.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5456 is a Local File Inclusion vulnerability affecting the Panda Video WordPress plugin versions up to 1.4.0, allowing authenticated attackers to execute arbitrary PHP code.
You are affected if you are using the Panda Video plugin version 1.4.0 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the Panda Video plugin to the latest available version. Check the vendor's website for the updated version.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants close monitoring.
Check the Panda Video plugin's official website or the WordPress plugin repository for the advisory and updated version.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.