平台
wordpress
组件
ajax-filter-posts
修复版本
3.4.13
CVE-2024-11642 represents a critical Local File Inclusion (LFI) vulnerability affecting the Post Grid Master WordPress plugin. This flaw allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 3.4.12, and a patch is expected to be released by the vendor.
The impact of this LFI vulnerability is severe. An attacker can leverage it to execute arbitrary PHP code on the WordPress server. This can lead to a complete takeover of the website, including data exfiltration, modification of content, and installation of malware. The ability to execute arbitrary code bypasses standard access controls, making it a highly dangerous vulnerability. Attackers could potentially upload malicious PHP scripts disguised as images or other file types to be included and executed, effectively gaining remote code execution (RCE).
This vulnerability is considered high risk due to its ease of exploitation and potential impact. Public proof-of-concept (PoC) code is likely to emerge quickly, increasing the risk of widespread exploitation. The vulnerability was publicly disclosed on 2025-01-09. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
WordPress websites utilizing the Post Grid Master plugin, particularly those running versions 3.4.12 or earlier, are at significant risk. Shared hosting environments are especially vulnerable as they often lack granular access controls, making it easier for attackers to exploit the vulnerability.
• wordpress / composer / npm:
grep -r 'locate_template' /var/www/html/wp-content/plugins/post-grid-master/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/post-grid-master/locate_template.php | grep 'Content-Type:'• wordpress / composer / npm:
wp plugin list --status=all | grep 'Post Grid Master'disclosure
漏洞利用状态
EPSS
0.29% (52% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to immediately upgrade the Post Grid Master plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the locate_template function or implementing strict input validation to prevent malicious file paths. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can also provide a layer of defense. Monitor WordPress logs for suspicious activity, particularly attempts to access unusual files or execute PHP code from unexpected locations.
将 Post Grid Master 插件更新到最新可用版本。该漏洞允许本地文件包含,这可能允许在服务器上执行任意 PHP 代码。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-11642 is a critical Local File Inclusion vulnerability in the Post Grid Master plugin for WordPress, allowing attackers to execute arbitrary files.
You are affected if you are using Post Grid Master plugin versions 3.4.12 or earlier. Upgrade immediately.
Upgrade the Post Grid Master plugin to the latest available version. If upgrading is not possible, implement temporary workarounds like restricting access to the locate_template function.
While active exploitation is not confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted soon.
Check the Post Grid Master plugin developer's website or WordPress plugin repository for the official advisory and updated version.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。