プラットフォーム
wordpress
コンポーネント
stockholm
修正版
9.6.1
CVE-2024-34551 describes a Path Traversal vulnerability within the Select-Themes Stockholm WordPress plugin. This flaw enables an attacker to leverage improper pathname limitations to achieve Local File Inclusion (LFI), potentially granting them unauthorized access to sensitive files and executing arbitrary code. The vulnerability impacts versions of Stockholm up to and including 9.6, with a fix available in version 9.6.1.
The core impact of this vulnerability lies in its ability to facilitate Local File Inclusion. An attacker can craft malicious requests to include arbitrary files from the server's filesystem, bypassing intended access controls. This could lead to the exposure of sensitive configuration files, source code, or even system binaries. Successful exploitation could allow an attacker to execute arbitrary PHP code, effectively gaining complete control over the affected WordPress instance. The potential for remote code execution makes this a high-severity risk, particularly in environments where Stockholm is used to manage critical themes or functionalities.
CVE-2024-34551 was publicly disclosed on 2024-06-04. While no active exploitation campaigns have been publicly reported as of this writing, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation.
Websites utilizing the Select-Themes Stockholm plugin, particularly those running older versions (≤9.6), are at significant risk. Shared hosting environments where multiple WordPress installations share the same server resources are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites relying on Stockholm for critical theme management or custom functionality are also at higher risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/select-themes-stockholm/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/select-themes-stockholm/../../../../etc/passwd'• wordpress / composer / npm:
wp plugin list --status=inactive | grep stockholm• wordpress / composer / npm:
wp plugin update select-themes-stockholm --alldisclosure
エクスプロイト状況
EPSS
0.65% (71% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-34551 is to immediately upgrade the Select-Themes Stockholm plugin to version 9.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Regularly review and audit the plugin's configuration to ensure adherence to security best practices. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.
Actualice el tema Stockholm a la última versión disponible. Si no hay una versión más reciente, considere deshabilitar o reemplazar el tema con una alternativa segura. Consulte el sitio web del proveedor para obtener más información y actualizaciones.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-34551 is a critical Path Traversal vulnerability in the Select-Themes Stockholm WordPress plugin, allowing attackers to potentially include arbitrary files.
You are affected if you are using Select-Themes Stockholm version 9.6 or earlier. Upgrade to 9.6.1 to mitigate the risk.
Upgrade the Select-Themes Stockholm plugin to version 9.6.1 or later. Consider temporary WAF rules if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's severity suggests a high probability of exploitation.
Refer to the Select-Themes website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。