CVE-2024-11289

EPSS 0.38%
Veröffentlicht 06.12.2024 10:15:05
Zuletzt bearbeitet 06.12.2024 10:15:05
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Soledad <= 8.5.9 - Unauthenticated Limited Local File Inclusion

The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.5.9 via several functions like penci_archive_more_post_ajax_func, penci_more_post_ajax_func, and penci_more_featured_post_ajax_func. This makes it possible for unauthenticated attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. The exploitability of this is limited to Windows.

Mögliche Gegenmaßnahme

Soledad: Update to version 8.6.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Theme

≫

Produkt Soledad

Version *-8.5.9

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerpencidesign

≫

Produkt soledad

Default Statusunknown

Version <= 8.5.9

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.589

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

https://themeforest.net/item/soledad-multiconcept-blogmagazine-wp-theme/12945398

https://www.wordfence.com/threat-intel/vulnerabilities/id/927674db-05f1-4f3b-8297-8a907955ea87?source=cve

https://www.wordfence.com/threat-intel/vulnerabilities/id/927674db-05f1-4f3b-8297-8a907955ea87

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-11289

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-11289

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-11289

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-11289