Plataforma
wordpress
Componente
xstore
Corrigido em
9.3.9
CVE-2024-33560 describes a critical Path Traversal vulnerability affecting the XStore WordPress plugin. This flaw allows attackers to potentially include arbitrary PHP files, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of XStore up to and including 9.3.8, and a patch is available in version 9.3.9.
The core of this vulnerability lies in the improper handling of file paths within the XStore plugin. An attacker can craft malicious requests that manipulate the pathname, bypassing intended restrictions and accessing files outside the designated directory. Successful exploitation allows for PHP Local File Inclusion (LFI). This means an attacker could include configuration files, database credentials, or even system files, potentially gaining access to sensitive information. In a worst-case scenario, an attacker could include a malicious PHP script, leading to remote code execution and complete control over the affected WordPress site. The potential for data breaches and system compromise is significant.
CVE-2024-33560 was publicly disclosed on June 4, 2024. The vulnerability's ease of exploitation and the potential for severe impact suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been widely released as of this writing, but the path traversal nature of the vulnerability makes it relatively straightforward to exploit. It has not yet been added to the CISA KEV catalog.
Websites utilizing the XStore WordPress plugin, particularly those running older versions (≤9.3.8), are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider are also vulnerable if they haven't applied the update. Sites with less stringent file access controls are more susceptible to exploitation.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/xstore/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/xstore/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep xstore• wordpress / composer / npm:
wp plugin update xstore --alldisclosure
Status do Exploit
EPSS
1.66% (percentil 82%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-33560 is to immediately upgrade the XStore plugin to version 9.3.9 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious path traversal patterns. Carefully review and restrict file access permissions within the WordPress environment. Monitor WordPress logs for unusual file access attempts. While a direct detection signature is difficult, monitor for PHP file inclusions outside of the expected XStore directories.
Actualice el tema XStore a la última versión disponible. Si no hay una versión disponible, considere deshabilitar o reemplazar el tema hasta que se publique una actualización que solucione la vulnerabilidad. Consulte el sitio web del proveedor para obtener más información y actualizaciones.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-33560 is a critical Path Traversal vulnerability in the XStore WordPress plugin, allowing attackers to potentially include arbitrary PHP files.
You are affected if you are using XStore versions 9.3.8 or earlier. Upgrade to 9.3.9 to resolve the vulnerability.
Upgrade the XStore plugin to version 9.3.9 or later. If upgrading is not immediately possible, implement WAF rules and restrict file access permissions.
While no widespread exploitation has been confirmed, the vulnerability's nature suggests a medium probability of exploitation. Monitor your systems closely.
Refer to the official XStore website and WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.