平台
wordpress
组件
database-backup
修复版本
2.36.1
CVE-2024-13910 describes an arbitrary file access vulnerability discovered in the Database Backup and check Tables Automated With Scheduler plugin for WordPress. This flaw allows authenticated administrators to delete arbitrary files on the server, potentially enabling remote code execution. The vulnerability impacts versions of the plugin up to and including 2.35, with a partial fix implemented in version 2.36.
The primary impact of CVE-2024-13910 is the ability for an authenticated administrator to delete arbitrary files on the server. While the vulnerability requires administrator privileges, this represents a significant escalation of risk. Deletion of critical files, such as wp-config.php, could lead to complete compromise of the WordPress installation, allowing an attacker to execute arbitrary code and gain full control of the server. The ease of file deletion, coupled with the potential for code execution, makes this a high-severity vulnerability. This vulnerability shares similarities with other file deletion vulnerabilities where the deletion of key configuration files can lead to complete system takeover.
CVE-2024-13910 was publicly disclosed on 2025-03-01. While no active exploitation campaigns have been publicly reported, the availability of administrator privileges required for exploitation lowers the barrier to entry. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation makes it likely that they will emerge.
WordPress websites utilizing the Database Backup and check Tables Automated With Scheduler plugin, particularly those with shared hosting environments where file permissions may be less restrictive, are at risk. Legacy WordPress installations with outdated plugins and inadequate security practices are also particularly vulnerable.
• wordpress / plugin: Use wp-cli plugin list to identify installations of the Database Backup and check Tables Automated With Scheduler plugin. Check the version number to determine if it is vulnerable.
wp plugin list --status=all | grep 'Database Backup and check Tables Automated With Scheduler'• wordpress / plugin: Examine plugin files for the databasebackupajax_delete function and any related file path validation logic. Look for instances where user-supplied input is directly used to construct file paths without proper sanitization.
• generic web: Monitor web server access logs for requests to the databasebackupajax_delete endpoint, particularly those originating from unusual IP addresses or user agents. Look for patterns indicative of file deletion attempts.
• wordpress / composer / npm: While this plugin doesn't use Composer or npm, ensure other plugins are regularly audited for vulnerabilities using composer audit or npm audit.
disclosure
漏洞利用状态
EPSS
3.97% (88% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-13910 is to upgrade the Database Backup and check Tables Automated With Scheduler plugin to version 2.36 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress installation to limit the impact of potential file deletions. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests targeting the databasebackupajax_delete endpoint. Regularly review WordPress plugin installations and ensure they are from trusted sources.
Actualice el plugin Database Backup and check Tables Automated With Scheduler 2024 a la versión 2.36 o superior. Esta versión contiene una corrección para la vulnerabilidad de eliminación arbitraria de archivos.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-13910 is a vulnerability in the Database Backup and check Tables Automated With Scheduler WordPress plugin allowing authenticated administrators to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using the Database Backup and check Tables Automated With Scheduler plugin in versions 2.35 or earlier. Upgrade to version 2.36 or later to mitigate the risk.
Upgrade the Database Backup and check Tables Automated With Scheduler plugin to version 2.36 or later. Consider restricting file permissions and implementing WAF rules as additional safeguards.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation suggests it may become a target.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and updates related to CVE-2024-13910.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。