CVE-2024-10672

External Control of File Name or Path (CWE-73)

Published: Nov 12, 2024 / Updated: 8d ago

010
CVSS 2.7EPSS 0.07%Low
CVE info copied to clipboard

Summary

The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server.

Impact

This vulnerability allows authenticated attackers with editor-level access or higher to delete limited files on the server. The impact is primarily on the integrity of the system, as it allows unauthorized file deletion. However, the confidentiality and availability of the system are not directly affected. The CVSS base score is 2.7, indicating a relatively low severity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 4.0.3 of the Multiple Page Generator Plugin for WordPress.

Mitigation

1. Update the Multiple Page Generator Plugin to version 4.0.3 or later. 2. If immediate updating is not possible, restrict editor-level access to trusted users only. 3. Monitor file system activities, especially deletions, for any suspicious behavior. 4. Implement the principle of least privilege for user accounts with access to the WordPress admin panel. 5. Regularly backup your WordPress installation and files to mitigate potential data loss from file deletions.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-10672. See article

Nov 12, 2024 at 3:31 AM / Vulners.com RSS Feed
CVE Assignment

NVD published the first details for CVE-2024-10672

Nov 12, 2024 at 4:15 AM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 12, 2024 at 4:22 AM
EPSS

EPSS Score was set to: 0.07% (Percentile: 31.3%)

Nov 12, 2024 at 9:54 AM
Static CVE Timeline Graph

Affected Systems

Themeisle/multiple_page_generator
+null more

Patches

plugins.trac.wordpress.org
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-13: Subverting Environment Variable Values
+null more

News

Low - CVE-2024-10672 - The Multiple Page Generator Plugin – MPG plugin...
The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in...
CVE-2024-10672
Low Severity Description The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server. Read more at https://www.tenable.com/cve/CVE-2024-10672
CVE-2024-10672 - WordPress MPG Plugin File Deletion Vulnerability
CVE ID : CVE-2024-10672 Published : Nov. 12, 2024, 4:15 a.m. 53 minutes ago Description : The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server. Severity: 2.7
CVE-2024-10672
The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server.
CVE-2024-10672
The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the...
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI