Plataforma
wordpress
Componente
infusionsoft-official-opt-in-forms
Corrigido em
2.0.2
CVE-2024-13725 is a critical Local File Inclusion (LFI) vulnerability affecting the Keap Official Opt-in Forms plugin for WordPress. This vulnerability allows unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to code execution and significant compromise. The vulnerability impacts versions of the plugin up to and including 2.0.1. A patch is expected to be released by the vendor.
The impact of CVE-2024-13725 is severe due to the potential for arbitrary code execution. An attacker can leverage the LFI vulnerability to include malicious PHP files, effectively gaining control over the web server. This could lead to data breaches, defacement of the website, or even complete server takeover. The description highlights a particularly concerning scenario: if registerargcargv is enabled and pearcmd.php is present, the vulnerability could be exploited for Remote Code Execution (RCE), significantly expanding the attack surface. The ability to upload and include PHP files is a key prerequisite for exploitation, but the potential consequences are substantial.
CVE-2024-13725 was publicly disclosed on 2025-02-18. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation associated with LFI vulnerabilities. The CRITICAL CVSS score indicates a high probability of exploitation. Active campaigns targeting WordPress plugins are common, so this vulnerability is likely to attract attention from malicious actors.
WordPress websites using the Keap Official Opt-in Forms plugin, particularly those running versions 2.0.1 or earlier, are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited access controls and are more susceptible to cross-site contamination. Websites with weak file upload security configurations are also at increased risk.
• wordpress / composer / npm:
grep -r 'service=../../../../' /var/www/html/wp-content/plugins/keap-official-opt-in-forms/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/keap-official-opt-in-forms/service?service=../../../../etc/passwd | grep 'Content-Type:'disclosure
Status do Exploit
EPSS
0.43% (percentil 63%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-13725 is to upgrade the Keap Official Opt-in Forms plugin to a version containing the fix. Until a patch is available, consider disabling the plugin entirely to prevent exploitation. If disabling the plugin is not feasible, implement strict file access controls on the WordPress server to prevent attackers from uploading malicious PHP files. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can provide an additional layer of defense. Monitor WordPress access logs for suspicious file inclusion attempts, particularly those targeting the service parameter.
Atualize o plugin Keap Official Opt-in Forms para a última versão disponível. A vulnerabilidade está presente em versões anteriores à mais recente. Isso resolverá o problema de inclusão de arquivos locais.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-13725 is a critical Local File Inclusion vulnerability in the Keap Official Opt-in Forms WordPress plugin, allowing attackers to include arbitrary PHP files and potentially execute code.
You are affected if you are using Keap Official Opt-in Forms plugin versions 2.0.1 or earlier. Upgrade immediately to mitigate the risk.
Upgrade the Keap Official Opt-in Forms plugin to the latest version containing the fix. If upgrading is not immediately possible, disable the plugin or implement file access controls.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation in the near future.
Refer to the Keap website and WordPress plugin repository for official advisories and updates regarding CVE-2024-13725.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.