プラットフォーム
wordpress
コンポーネント
stockholm
修正版
9.6.1
CVE-2024-34552 describes a Path Traversal vulnerability within the Select-Themes Stockholm WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure. The vulnerability impacts versions of Stockholm up to 9.6, and a patch is available in version 9.6.1.
The Path Traversal vulnerability in Select-Themes Stockholm allows an attacker to bypass intended access restrictions and include arbitrary files on the server. By manipulating file paths, an attacker could potentially read configuration files, source code, or other sensitive data. Successful exploitation could lead to unauthorized access to critical system information, potentially enabling further attacks such as remote code execution if the included file contains executable code. The blast radius extends to any system running a vulnerable version of the Stockholm plugin, and the impact is amplified if the server hosts other sensitive applications or data.
CVE-2024-34552 was publicly disclosed on 2024-06-04. No known public proof-of-concept exploits are currently available, but the vulnerability's nature makes it likely that exploits will be developed. The vulnerability is not currently listed on CISA KEV. Given the ease of exploitation associated with Path Traversal vulnerabilities, it is prudent to apply the patch promptly.
WordPress websites utilizing the Select-Themes Stockholm plugin, particularly those running versions 9.6 or earlier, are at risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable. Sites with misconfigured file permissions that allow the web server user to access sensitive files are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/select-themes-stockholm/*• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/select-themes-stockholm/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep stockholmdisclosure
エクスプロイト状況
EPSS
0.65% (71% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-34552 is to immediately upgrade the Select-Themes Stockholm plugin to version 9.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Carefully review file permissions on the server to ensure that sensitive files are not accessible by the web server user. Monitor WordPress logs for suspicious file access attempts.
Actualice el tema Stockholm a la última versión disponible. Si no hay una versión disponible, considere deshabilitar o reemplazar el tema con una alternativa segura. Esté atento a las actualizaciones de seguridad del proveedor.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-34552 is a Path Traversal vulnerability in the Select-Themes Stockholm WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
You are affected if you are using Select-Themes Stockholm version 9.6 or earlier. Upgrade to 9.6.1 to resolve the issue.
Upgrade the Select-Themes Stockholm plugin to version 9.6.1 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's nature suggests it may be targeted soon. Prompt patching is recommended.
Refer to the Select-Themes website and WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。