WordPress InstaWP Connect 插件 <= 0.1.0.38 - 任意文件上传漏洞
平台
wordpress
组件
instawp-connect
修复版本
0.1.1
CVE-2024-37228 is a critical Arbitrary File Access vulnerability affecting InstaWP Connect, a WordPress plugin. This flaw allows attackers to inject code, potentially leading to unauthorized access and data exposure. Versions of InstaWP Connect prior to 0.1.1 (inclusive of versions up to 0.1.0.38) are vulnerable. A patch is available in version 0.1.1.
检测此 CVE 是否影响你的项目
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
影响与攻击场景翻译中…
The Arbitrary File Access vulnerability in InstaWP Connect poses a significant risk. An attacker can leverage this flaw to read any file accessible by the web server process. This includes sensitive configuration files, database credentials, and potentially even source code. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. The impact extends beyond the plugin itself, potentially affecting the entire WordPress installation. Given the ease of file path manipulation in many web environments, this vulnerability is considered highly exploitable. The ability to read arbitrary files opens the door to further attacks, such as privilege escalation and data exfiltration.
利用背景翻译中…
CVE-2024-37228 was published on June 24, 2024. The vulnerability's critical CVSS score (10) indicates a high probability of exploitation. While no public Proof-of-Concept (POC) code has been widely reported, the ease of exploitation inherent in Arbitrary File Access vulnerabilities suggests that it is likely to be targeted. Its presence on the NVD (National Vulnerability Database) increases the likelihood of automated scanning and exploitation attempts. There is no indication of active campaigns targeting this specific vulnerability at this time.
威胁情报
漏洞利用状态
EPSS
0.99% (77% 百分位)
CISA SSVC
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 已改变 — 攻击可以超出脆弱组件,影响其他系统。
- Confidentiality
- 高 — 完全丧失机密性,攻击者可读取所有数据。
- Integrity
- 高 — 攻击者可写入、修改或删除任何数据。
- Availability
- 高 — 完全崩溃或资源耗尽,完全拒绝服务。
受影响的软件
软件包信息
- 活跃安装数
- 40K已知
- 插件评分
- 4.5
- 需要WordPress版本
- 5.6+
- 兼容至
- 6.9.4
- 需要PHP版本
- 7.0+
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2024-37228 is to immediately upgrade InstaWP Connect to version 0.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Restrict file permissions on the WordPress server to minimize the potential damage from unauthorized file access. Implement a Web Application Firewall (WAF) with rules to block attempts to access files outside of the intended directories. Monitor server logs for suspicious file access attempts. After upgrading to version 0.1.1, verify the fix by attempting to access a sensitive file via a crafted URL; access should be denied.
修复方法
将 InstaWP Connect 插件更新到最新可用版本。该漏洞允许进行任意文件上传,这可能会危及您的网站安全。更新可以修复此漏洞。
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2024-37228 — Arbitrary File Access in InstaWP Connect?
It's a critical Arbitrary File Access vulnerability in InstaWP Connect, allowing attackers to read sensitive files.
Am I affected by CVE-2024-37228 in InstaWP Connect?
Yes, if you're using InstaWP Connect versions 0.1.0.38 or earlier. Upgrade immediately.
How do I fix CVE-2024-37228 in InstaWP Connect?
Upgrade InstaWP Connect to version 0.1.1 or later. If immediate upgrade isn't possible, implement temporary workarounds like restricting file permissions.
Is CVE-2024-37228 being actively exploited?
While no active campaigns are confirmed, the vulnerability's severity and ease of exploitation make it a likely target.
Where can I find the official InstaWP Connect advisory for CVE-2024-37228?
Refer to the official InstaWP Connect advisory and the NVD entry for CVE-2024-37228 for detailed information.