プラットフォーム
wordpress
コンポーネント
wpbakery
修正版
7.7.1
A critical Local File Inclusion (LFI) vulnerability has been identified in WPBakery Visual Composer, affecting versions up to 7.7. This flaw allows authenticated attackers with Author-level access or higher to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability was publicly disclosed on August 6, 2024, and a patched version is recommended to address the risk.
The impact of CVE-2024-5709 is severe due to the potential for remote code execution (RCE). An attacker who can successfully exploit this vulnerability can upload seemingly innocuous files (like images) and then include them via the 'layout_name' parameter, effectively executing arbitrary PHP code. This could allow them to gain full control over the WordPress instance, steal sensitive data (user credentials, database information), modify website content, or even install malware. The ability to bypass access controls and execute code within the WordPress environment significantly expands the attack surface and increases the potential for widespread damage.
CVE-2024-5709 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's ease of exploitation and the high impact. The vulnerability's reliance on authenticated access suggests that targeted attacks against WordPress sites with existing vulnerabilities or weak credentials are most likely. The NVD entry was published on August 6, 2024.
WordPress websites utilizing WPBakery Visual Composer, particularly those with weak user authentication or inadequate file upload restrictions, are at significant risk. Shared hosting environments where users have Author-level access or higher are especially vulnerable, as attackers can leverage this privilege to compromise the entire hosting account.
• wordpress / composer / npm:
grep -r 'layout_name' /var/www/html/wp-content/plugins/wpb-visual-composer/• wordpress / composer / npm:
wp plugin list --status=active | grep wpb-visual-composer• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/wpb-visual-composer/layout.php?layout_name=../../../../wp-config.php• generic web: Check WordPress plugin directory for mentions of the vulnerability and associated IOCs.
disclosure
エクスプロイト状況
EPSS
0.69% (72% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-5709 is to immediately upgrade WPBakery Visual Composer to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Restrict file upload permissions to prevent attackers from uploading malicious files that can be included. Implement strict input validation on the 'layout_name' parameter to prevent malicious input. Consider using a Web Application Firewall (WAF) with rules to block attempts to include arbitrary files. After upgrading, confirm the vulnerability is resolved by attempting to trigger the LFI with a non-existent file and verifying that the request is denied.
Actualice el plugin WPBakery Visual Composer a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos locales.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-5709 is a Local File Inclusion vulnerability in WPBakery Visual Composer versions up to 7.7, allowing authenticated attackers to execute arbitrary PHP code.
If you are using WPBakery Visual Composer version 7.7 or earlier, you are vulnerable to this LFI exploit.
Upgrade WPBakery Visual Composer to the latest patched version. Implement temporary workarounds like restricting file uploads and input validation if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted soon.
Refer to the official WPBakery website and WordPress security announcements for the latest advisory and patch information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。