Plateforme
wordpress
Composant
ajax-filter-posts
Corrigé dans
3.4.13
CVE-2024-11642 represents a critical Local File Inclusion (LFI) vulnerability affecting the Post Grid Master WordPress plugin. This flaw allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 3.4.12, and a patch is expected to be released by the vendor.
The impact of this LFI vulnerability is severe. An attacker can leverage it to execute arbitrary PHP code on the WordPress server. This can lead to a complete takeover of the website, including data exfiltration, modification of content, and installation of malware. The ability to execute arbitrary code bypasses standard access controls, making it a highly dangerous vulnerability. Attackers could potentially upload malicious PHP scripts disguised as images or other file types to be included and executed, effectively gaining remote code execution (RCE).
This vulnerability is considered high risk due to its ease of exploitation and potential impact. Public proof-of-concept (PoC) code is likely to emerge quickly, increasing the risk of widespread exploitation. The vulnerability was publicly disclosed on 2025-01-09. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
WordPress websites utilizing the Post Grid Master plugin, particularly those running versions 3.4.12 or earlier, are at significant risk. Shared hosting environments are especially vulnerable as they often lack granular access controls, making it easier for attackers to exploit the vulnerability.
• wordpress / composer / npm:
grep -r 'locate_template' /var/www/html/wp-content/plugins/post-grid-master/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/post-grid-master/locate_template.php | grep 'Content-Type:'• wordpress / composer / npm:
wp plugin list --status=all | grep 'Post Grid Master'disclosure
Statut de l'Exploit
EPSS
0.29% (percentile 52%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to immediately upgrade the Post Grid Master plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the locate_template function or implementing strict input validation to prevent malicious file paths. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can also provide a layer of defense. Monitor WordPress logs for suspicious activity, particularly attempts to access unusual files or execute PHP code from unexpected locations.
Mettez à jour le plugin Post Grid Master vers la dernière version disponible. La vulnérabilité permet l'inclusion de fichiers locaux, ce qui pourrait permettre l'exécution de code PHP arbitraire sur le serveur.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-11642 is a critical Local File Inclusion vulnerability in the Post Grid Master plugin for WordPress, allowing attackers to execute arbitrary files.
You are affected if you are using Post Grid Master plugin versions 3.4.12 or earlier. Upgrade immediately.
Upgrade the Post Grid Master plugin to the latest available version. If upgrading is not possible, implement temporary workarounds like restricting access to the locate_template function.
While active exploitation is not confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted soon.
Check the Post Grid Master plugin developer's website or WordPress plugin repository for the official advisory and updated version.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.