CVE-2024-51582

Path Traversal: '.../...//' (CWE-35)

Published: Nov 4, 2024 / Updated: 15d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

A Path Traversal vulnerability of the type '.../...//' has been identified in ThimPress WP Hotel Booking plugin for WordPress. This vulnerability allows for PHP Local File Inclusion. The affected versions of WP Hotel Booking range from an unspecified starting point up to and including version 2.1.4.

Impact

This vulnerability has a high severity with a CVSS base score of 8.8. It allows attackers to potentially access sensitive files on the server, execute arbitrary code, or gain unauthorized access to the system. The vulnerability impacts confidentiality, integrity, and availability, all rated as HIGH. It requires low privileges and no user interaction, making it relatively easy to exploit. The attack vector is network-based, indicating it can be exploited remotely.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects versions up to 2.1.4, it's likely that updating to a version newer than 2.1.4 (if available) would resolve the issue. Users should check for updates from ThimPress for the WP Hotel Booking plugin.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Temporarily disable the WP Hotel Booking plugin if it's not critical for your operations. 2. Implement strong input validation and sanitization for all user inputs. 3. Use Web Application Firewall (WAF) rules to detect and block path traversal attempts. 4. Apply the principle of least privilege to file system permissions. 5. Regularly monitor and audit system logs for any suspicious activities. 6. Keep the WordPress core, all themes, and other plugins up-to-date. 7. Consider using a security plugin that can help detect and prevent such attacks.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-51582

Nov 4, 2024 at 2:15 PM
CVSS

A CVSS base score of 7.5 has been assigned.

Nov 4, 2024 at 2:21 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-51582. See article

Nov 4, 2024 at 2:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 4, 2024 at 2:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 5, 2024 at 10:05 AM
Static CVE Timeline Graph

Affected Systems

Thimpress/wp_hotel_booking
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 28, 2024 to November 3, 2024)
WordPress Plugins with Reported Vulnerabilities Last Week All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers
CVE Alert: CVE-2024-51582 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-51582/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_51582
Huawei lists EMUI and HarmonyOS November 2024 security patch details
We’re on 5th November 2024 and Huawei has revealed new security patch details for its EMUI and HarmonyOS devices. Huawei has eliminated around 21 vulnerabilities with the November 2024 security patch for EMUI and HarmonyOS models.
NA - CVE-2024-51582 - Path Traversal: '.../...//'...
Path Traversal: '.../...//' vulnerability in ThimPress WP Hotel Booking allows PHP Local File Inclusion.This issue affects WP Hotel Booking: from n/a through 2.1.4.
CVE-2024-51582 | ThimPress WP Hotel Booking Plugin up to 2.1.4 on WordPress path traversal
A vulnerability, which was classified as problematic , has been found in ThimPress WP Hotel Booking Plugin up to 2.1.4 on WordPress. This issue affects some unknown processing. The manipulation leads to path traversal: '.../...//'. The identification of this vulnerability is CVE-2024-51582 . The attack may be initiated remotely. There is no exploit available.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI