Platform
wordpress
Component
listingpro-plugin
Opgelost in
2.9.4
CVE-2024-39619 describes a Path Traversal vulnerability within the ListingPro WordPress plugin. This flaw allows attackers to exploit improper limitations on file paths, resulting in PHP Local File Inclusion. Versions of ListingPro prior to 2.9.4 are vulnerable, and a patch has been released to address the issue.
The Path Traversal vulnerability in ListingPro allows an attacker to include arbitrary files from the server's filesystem. This is a severe risk because it can lead to Remote Code Execution (RCE) if the attacker can include a file containing malicious PHP code. Successful exploitation could grant an attacker complete control over the WordPress instance, enabling them to steal sensitive data, modify website content, or even use the server as a launchpad for further attacks. The impact is particularly high given the plugin's potential use in listing directories and business websites, which often contain valuable customer data and financial information.
CVE-2024-39619 was publicly disclosed on August 1, 2024. While no public proof-of-concept (POC) code has been widely released, the nature of Path Traversal vulnerabilities makes it likely that one will emerge. The EPSS score is likely to be medium to high, given the potential for RCE and the widespread use of WordPress. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Websites using the ListingPro WordPress plugin, particularly those running versions prior to 2.9.4, are at risk. Shared hosting environments are especially vulnerable, as they often have limited control over server configurations and plugin updates. Businesses relying on ListingPro for directory listings or business profiles are also at heightened risk due to the potential exposure of sensitive customer data.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/listingpro/*• generic web:
curl -I 'https://example.com/wp-content/plugins/listingpro/../../../../etc/passwd'• wordpress / composer / npm:
wp plugin list --status=active | grep listingprodisclosure
Exploit Status
EPSS
1.66% (82% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-39619 is to immediately upgrade the ListingPro plugin to version 2.9.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Additionally, restrict file upload permissions and carefully review any user-supplied input that is used in file inclusion operations. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that it is blocked or results in an error.
Werk de ListingPro plugin bij naar de laatste beschikbare versie. De kwetsbaarheid voor lokale bestand inclusie stelt aanvallers in staat om toegang te krijgen tot gevoelige bestanden op de server. De update corrigeert deze kwetsbaarheid en beschermt uw website.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-39619 is a critical Path Traversal vulnerability in the ListingPro WordPress plugin, allowing attackers to potentially include arbitrary files and execute code.
Yes, if you are using ListingPro version 2.9.3 or earlier, you are vulnerable to this Path Traversal attack.
Upgrade the ListingPro plugin to version 2.9.4 or later to resolve this vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted soon.
Refer to the CridioStudio website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-39619.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.