Platform
wordpress
Component
ajax-filter-posts
Opgelost in
3.4.13
CVE-2024-11642 represents a critical Local File Inclusion (LFI) vulnerability affecting the Post Grid Master WordPress plugin. This flaw allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 3.4.12, and a patch is expected to be released by the vendor.
The impact of this LFI vulnerability is severe. An attacker can leverage it to execute arbitrary PHP code on the WordPress server. This can lead to a complete takeover of the website, including data exfiltration, modification of content, and installation of malware. The ability to execute arbitrary code bypasses standard access controls, making it a highly dangerous vulnerability. Attackers could potentially upload malicious PHP scripts disguised as images or other file types to be included and executed, effectively gaining remote code execution (RCE).
This vulnerability is considered high risk due to its ease of exploitation and potential impact. Public proof-of-concept (PoC) code is likely to emerge quickly, increasing the risk of widespread exploitation. The vulnerability was publicly disclosed on 2025-01-09. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
WordPress websites utilizing the Post Grid Master plugin, particularly those running versions 3.4.12 or earlier, are at significant risk. Shared hosting environments are especially vulnerable as they often lack granular access controls, making it easier for attackers to exploit the vulnerability.
• wordpress / composer / npm:
grep -r 'locate_template' /var/www/html/wp-content/plugins/post-grid-master/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/post-grid-master/locate_template.php | grep 'Content-Type:'• wordpress / composer / npm:
wp plugin list --status=all | grep 'Post Grid Master'disclosure
Exploit Status
EPSS
0.29% (52% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to immediately upgrade the Post Grid Master plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the locate_template function or implementing strict input validation to prevent malicious file paths. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can also provide a layer of defense. Monitor WordPress logs for suspicious activity, particularly attempts to access unusual files or execute PHP code from unexpected locations.
Werk de Post Grid Master plugin bij naar de laatste beschikbare versie. De kwetsbaarheid maakt lokale bestandsinclusie mogelijk, wat de uitvoering van willekeurige PHP-code op de server kan toestaan.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-11642 is a critical Local File Inclusion vulnerability in the Post Grid Master plugin for WordPress, allowing attackers to execute arbitrary files.
You are affected if you are using Post Grid Master plugin versions 3.4.12 or earlier. Upgrade immediately.
Upgrade the Post Grid Master plugin to the latest available version. If upgrading is not possible, implement temporary workarounds like restricting access to the locate_template function.
While active exploitation is not confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted soon.
Check the Post Grid Master plugin developer's website or WordPress plugin repository for the official advisory and updated version.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.