プラットフォーム
wordpress
コンポーネント
listingpro-plugin
修正版
2.9.4
CVE-2024-39619 describes a Path Traversal vulnerability within the ListingPro WordPress plugin. This flaw allows attackers to exploit improper limitations on file paths, resulting in PHP Local File Inclusion. Versions of ListingPro prior to 2.9.4 are vulnerable, and a patch has been released to address the issue.
The Path Traversal vulnerability in ListingPro allows an attacker to include arbitrary files from the server's filesystem. This is a severe risk because it can lead to Remote Code Execution (RCE) if the attacker can include a file containing malicious PHP code. Successful exploitation could grant an attacker complete control over the WordPress instance, enabling them to steal sensitive data, modify website content, or even use the server as a launchpad for further attacks. The impact is particularly high given the plugin's potential use in listing directories and business websites, which often contain valuable customer data and financial information.
CVE-2024-39619 was publicly disclosed on August 1, 2024. While no public proof-of-concept (POC) code has been widely released, the nature of Path Traversal vulnerabilities makes it likely that one will emerge. The EPSS score is likely to be medium to high, given the potential for RCE and the widespread use of WordPress. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Websites using the ListingPro WordPress plugin, particularly those running versions prior to 2.9.4, are at risk. Shared hosting environments are especially vulnerable, as they often have limited control over server configurations and plugin updates. Businesses relying on ListingPro for directory listings or business profiles are also at heightened risk due to the potential exposure of sensitive customer data.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/listingpro/*• generic web:
curl -I 'https://example.com/wp-content/plugins/listingpro/../../../../etc/passwd'• wordpress / composer / npm:
wp plugin list --status=active | grep listingprodisclosure
エクスプロイト状況
EPSS
1.66% (82% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-39619 is to immediately upgrade the ListingPro plugin to version 2.9.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Additionally, restrict file upload permissions and carefully review any user-supplied input that is used in file inclusion operations. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that it is blocked or results in an error.
ListingPro プラグインを最新バージョンにアップデートしてください。ローカルファイルインクルージョンの脆弱性を修正し、ウェブサイトを保護します。攻撃者は、この脆弱性を利用してサーバー上の機密ファイルにアクセスする可能性があります。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-39619 is a critical Path Traversal vulnerability in the ListingPro WordPress plugin, allowing attackers to potentially include arbitrary files and execute code.
Yes, if you are using ListingPro version 2.9.3 or earlier, you are vulnerable to this Path Traversal attack.
Upgrade the ListingPro plugin to version 2.9.4 or later to resolve this vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted soon.
Refer to the CridioStudio website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-39619.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。