6.5

CVE-2024-1076

Exploit

SSL Zen <= 4.5.3 - Unauthenticated Private Keys Access

SSL Zen – Free Let's Encrypt SSL Certificate & HTTPS/SSL Redirect WordPress Plugin <= 4.5.0 - Sensitive Information Exposure

The SSL Zen  WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors from accessing the site's generated private keys, which allows an attacker to read them if the site runs on a server who doesn't support .htaccess files, like NGINX.
Mögliche Gegenmaßnahme
SSL Zen — SSL Certificate Installer & HTTPS Redirects: Update to version 4.6.0, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SslzenSsl Zen SwPlatformwordpress Version < 4.6.0
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt SSL Zen — SSL Certificate Installer & HTTPS Redirects
Version *-4.5.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.41% 0.328
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://wpscan.com/vulnerability/9c3e9c72-3d6c-4e2c-bb8a-f4efce1371d5/
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/e78b5ed9-4e46-4bc9-9e4e-0f70bc81d1cb
Third Party Advisory