Plataforma
wordpress
Componente
pluginpass-pro-plugintheme-licensing
Corrigido em
0.9.11
CVE-2024-54291 describes an Arbitrary File Access vulnerability within PluginPass, a WordPress plugin. This flaw allows attackers to manipulate web input to access files on the server's file system, potentially leading to sensitive data exposure or even remote code execution if executable files are accessed. The vulnerability impacts versions of PluginPass up to and including 0.9.10, and a fix is available in version 0.9.11.
The Arbitrary File Access vulnerability in PluginPass allows an attacker to read any file accessible by the webserver process. This includes configuration files, source code, and potentially even sensitive data like database credentials or API keys. Successful exploitation could lead to complete compromise of the WordPress site and the underlying server. An attacker could leverage this to gain a deeper understanding of the system, exfiltrate data, or even execute arbitrary code if they can locate and execute a suitable file. The impact is amplified if the server hosts multiple websites or applications, as a compromised PluginPass instance could provide a foothold for attacking other services on the same server.
CVE-2024-54291 was publicly disclosed on 2025-03-28. Currently, there are no known active campaigns targeting this vulnerability, and no public proof-of-concept exploits have been released. The vulnerability is not listed on the CISA KEV catalog at the time of writing. However, the path traversal nature of the vulnerability makes it a potential target for automated scanning and exploitation.
WordPress websites using the PluginPass plugin, particularly those running versions 0.9.10 or earlier, are at risk. Shared hosting environments are especially vulnerable, as they often have limited control over server configurations and file permissions. Websites with legacy PluginPass installations or those that haven't performed regular plugin updates are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/pluginpass/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/pluginpass/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep pluginpass• wordpress / composer / npm:
wp plugin update pluginpassdisclosure
Status do Exploit
EPSS
0.24% (percentil 48%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-54291 is to immediately upgrade PluginPass to version 0.9.11 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the server. This can be achieved by configuring the web server (e.g., Apache, Nginx) to deny access to sensitive directories. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). After upgrading, verify the fix by attempting to access a restricted file via a web browser; access should be denied.
Actualice el plugin PluginPass a la última versión disponible. La vulnerabilidad permite la descarga y eliminación arbitraria de archivos, por lo que es crucial actualizar lo antes posible. Consulte la página del plugin en el repositorio de WordPress para obtener la versión más reciente.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-54291 is a HIGH severity vulnerability in PluginPass affecting versions up to 0.9.10. It allows attackers to read files on the server through path traversal.
You are affected if you are using PluginPass version 0.9.10 or earlier. Check your plugin version and update immediately.
Upgrade PluginPass to version 0.9.11 or later. If immediate upgrade is not possible, restrict file access permissions and implement WAF rules.
Currently, there are no confirmed active exploits, but the vulnerability's nature makes it a potential target.
Refer to the PluginPass project's official website or repository for the latest security advisories and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.