Platform
wordpress
Component
wp-event-solution
Fixed in
4.0.9
CVE-2024-7149 describes a Local File Inclusion (LFI) vulnerability affecting the Eventin plugin for WordPress. This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server. The vulnerability impacts versions of Eventin up to and including 4.0.8. A patch is expected from the vendor.
The impact of this vulnerability is significant due to the potential for remote code execution. An attacker, having only Contributor-level access, can leverage the LFI to include and execute arbitrary PHP code. This could lead to the theft of sensitive data stored on the server, modification of website content, or even complete compromise of the WordPress installation. The attacker could potentially escalate privileges and gain full control of the server. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing backdoors, injecting malware, and launching further attacks against other systems on the network.
CVE-2024-7149 was publicly disclosed on 2024-09-27. While no public exploits are currently known, the ease of exploitation and the potential impact make it a high-priority vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. Given the plugin's popularity and the relatively simple exploitation path, active exploitation is possible.
Exploit Status
EPSS
0.71% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-7149 is to upgrade the Eventin plugin to a patched version as soon as it becomes available. Until a patch is released, consider restricting file upload permissions to prevent attackers from uploading malicious PHP files that can be included. Implement strict input validation and sanitization to prevent attackers from manipulating the style parameters. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious file paths. Monitor WordPress logs for unusual file access patterns or PHP execution attempts.
Actualice el plugin Eventin a la última versión disponible. La vulnerabilidad de inclusión de archivos locales permite a atacantes autenticados ejecutar código PHP arbitrario en el servidor. La actualización corrige esta vulnerabilidad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-7149 is a Local File Inclusion vulnerability in the Eventin WordPress plugin, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using Eventin plugin versions 4.0.8 or earlier. Check your plugin version and upgrade as soon as a patch is available.
Upgrade the Eventin plugin to the latest version as soon as a patch is released by the vendor. Until then, restrict file upload permissions and implement input validation.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests active exploitation is possible.
Check the Eventin plugin website and WordPress plugin repository for the official advisory and patch release.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.