Platform
wordpress
Component
filester
Fixed in
1.8.6
1.8.6
CVE-2024-9669 is a Local File Inclusion (LFI) vulnerability affecting the Filester WordPress plugin. This vulnerability allows authenticated attackers with administrator-level access to include and execute arbitrary files on the server. Versions of Filester up to and including 1.8.5 are affected, and a patch is available in version 1.8.6.
An attacker exploiting this vulnerability could leverage the 'fm_locale' parameter to include and execute arbitrary files. This effectively grants them the ability to bypass access controls and potentially execute code within the WordPress environment. The impact extends to sensitive data exposure, as attackers could include configuration files or other data stores. Furthermore, the ability to execute arbitrary code opens the door to complete system compromise, allowing attackers to install malware, modify website content, or gain persistent access to the server. The ability to upload 'safe' file types like images and include them amplifies the risk.
This vulnerability is publicly known and documented. While no active exploitation campaigns have been definitively linked to CVE-2024-9669 at the time of writing, the ease of exploitation and the prevalence of WordPress installations make it a potential target. The vulnerability was disclosed on 2024-11-27. No KEV listing is currently available.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-9669 is to immediately upgrade the Filester plugin to version 1.8.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file upload permissions within the WordPress environment to prevent the inclusion of malicious files. Implementing a Web Application Firewall (WAF) with rules to filter out suspicious file inclusion attempts targeting the 'fm_locale' parameter can provide an additional layer of defense. Regularly review WordPress plugin configurations and ensure that only trusted plugins are installed.
Update to version 1.8.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9669 is a vulnerability in the Filester WordPress plugin allowing authenticated admins to include and execute arbitrary files, potentially leading to code execution.
You are affected if you are using Filester version 1.8.5 or earlier. Upgrade to 1.8.6 to resolve the vulnerability.
Upgrade the Filester plugin to version 1.8.6 or later. If immediate upgrade isn't possible, restrict file upload permissions and consider a WAF.
While no confirmed active exploitation campaigns are currently known, the vulnerability's ease of exploitation makes it a potential target.
Refer to the official Filester plugin documentation and WordPress security announcements for the latest information and advisory regarding CVE-2024-9669.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.