平台
wordpress
组件
listingpro-plugin
修复版本
2.9.4
CVE-2024-39619 describes a Path Traversal vulnerability within the ListingPro WordPress plugin. This flaw allows attackers to exploit improper limitations on file paths, resulting in PHP Local File Inclusion. Versions of ListingPro prior to 2.9.4 are vulnerable, and a patch has been released to address the issue.
The Path Traversal vulnerability in ListingPro allows an attacker to include arbitrary files from the server's filesystem. This is a severe risk because it can lead to Remote Code Execution (RCE) if the attacker can include a file containing malicious PHP code. Successful exploitation could grant an attacker complete control over the WordPress instance, enabling them to steal sensitive data, modify website content, or even use the server as a launchpad for further attacks. The impact is particularly high given the plugin's potential use in listing directories and business websites, which often contain valuable customer data and financial information.
CVE-2024-39619 was publicly disclosed on August 1, 2024. While no public proof-of-concept (POC) code has been widely released, the nature of Path Traversal vulnerabilities makes it likely that one will emerge. The EPSS score is likely to be medium to high, given the potential for RCE and the widespread use of WordPress. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Websites using the ListingPro WordPress plugin, particularly those running versions prior to 2.9.4, are at risk. Shared hosting environments are especially vulnerable, as they often have limited control over server configurations and plugin updates. Businesses relying on ListingPro for directory listings or business profiles are also at heightened risk due to the potential exposure of sensitive customer data.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/listingpro/*• generic web:
curl -I 'https://example.com/wp-content/plugins/listingpro/../../../../etc/passwd'• wordpress / composer / npm:
wp plugin list --status=active | grep listingprodisclosure
漏洞利用状态
EPSS
1.66% (82% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-39619 is to immediately upgrade the ListingPro plugin to version 2.9.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Additionally, restrict file upload permissions and carefully review any user-supplied input that is used in file inclusion operations. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that it is blocked or results in an error.
将 ListingPro 插件更新到最新可用版本。本地文件包含漏洞允许攻击者访问服务器上的敏感文件。更新可以修复此漏洞并保护您的网站。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-39619 is a critical Path Traversal vulnerability in the ListingPro WordPress plugin, allowing attackers to potentially include arbitrary files and execute code.
Yes, if you are using ListingPro version 2.9.3 or earlier, you are vulnerable to this Path Traversal attack.
Upgrade the ListingPro plugin to version 2.9.4 or later to resolve this vulnerability. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted soon.
Refer to the CridioStudio website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-39619.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。