Plataforma
wordpress
Componente
classic-addons-wpbakery-page-builder-addons
Corrigido em
3.0.1
CVE-2024-11952 describes a Limited Local PHP File Inclusion (LFI) vulnerability affecting the Classic Addons – WPBakery Page Builder plugin for WordPress. This vulnerability allows authenticated users with Contributor-level access or higher to include and execute arbitrary files on the server. The vulnerability impacts versions of the plugin up to and including 3.0. A fix is available in a patched version of the plugin.
An attacker exploiting this LFI vulnerability could gain significant control over a WordPress site. By leveraging the 'style' parameter, a contributor-level user (or higher, with administrator permissions) can include and execute arbitrary PHP code. This could lead to the disclosure of sensitive information stored on the server, such as database credentials or configuration files. Furthermore, the attacker could potentially execute malicious code, leading to complete compromise of the WordPress installation and potentially the underlying server. The ability to execute arbitrary code opens the door to a wide range of attacks, including defacement, data theft, and the installation of backdoors.
CVE-2024-11952 was publicly disclosed on December 4, 2024. While no public exploits have been widely reported, the ease of exploitation and the potential impact make it a concerning vulnerability. The requirement for authenticated access limits the immediate scope of the attack, but the prevalence of WordPress and the common practice of granting contributor-level access to multiple users increases the overall risk. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Classic Addons – WPBakery Page Builder plugin, particularly those with multiple users granted Contributor-level access or higher, are at risk. Shared hosting environments where users have limited control over plugin updates and configurations are also particularly vulnerable. Sites with legacy configurations or outdated security practices are more susceptible to exploitation.
• wordpress: Use wp-cli to check the installed plugin version:
wp plugin list | grep 'Classic Addons'• wordpress: Search plugin files for the vulnerable 'style' parameter usage. Look for patterns like include($_GET['style']); or similar.
• generic web: Monitor web server access logs for requests containing suspicious file paths in the 'style' parameter, such as /../../../../etc/passwd.
• generic web: Check WordPress error logs for PHP inclusion errors related to the 'style' parameter.
disclosure
Status do Exploit
EPSS
0.12% (percentil 30%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-11952 is to upgrade the Classic Addons – WPBakery Page Builder plugin to a patched version. If upgrading immediately is not possible due to compatibility issues or testing requirements, consider temporarily restricting file upload permissions for users with Contributor access. Additionally, implement strict input validation on the 'style' parameter to prevent malicious file paths from being included. Web Application Firewalls (WAFs) configured to filter out suspicious file inclusion attempts can provide an additional layer of protection. Monitor WordPress logs for unusual file access patterns.
Actualice el plugin Classic Addons – WPBakery Page Builder a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos PHP local.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-11952 is a Limited Local PHP File Inclusion vulnerability in the Classic Addons plugin for WordPress, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using Classic Addons – WPBakery Page Builder version 3.0 or earlier.
Upgrade the Classic Addons – WPBakery Page Builder plugin to the latest patched version.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation makes it a potential target.
Refer to the official Classic Addons website or the WPBakery Page Builder security advisory for updates and details.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.