CVE-2024-7149

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Sep 27, 2024 / Updated: 53d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via multiple style parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.

Impact

This vulnerability could potentially allow attackers to compromise WordPress installations. The specific impacts include unauthorized access, data breaches, or website defacement. Given the high severity rating (CVSS base score of 8.8), this vulnerability poses a significant risk. Attackers with Contributor-level access or higher could exploit this to execute arbitrary PHP code on the server, potentially leading to full server compromise, data theft, or manipulation of the WordPress site.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not yet available based on the provided information. The vulnerability affects all versions of the Eventin plugin up to and including version 4.0.8. WordPress users should monitor official WordPress security announcements and the plugin's update channels for a patched version.

Mitigation

While awaiting a patch, implement the following mitigation steps: 1. If possible, temporarily disable the Eventin plugin until a patched version is available. 2. Limit user roles and permissions, especially for Contributor-level accounts and above. 3. Implement strong access controls and use two-factor authentication. 4. Regularly monitor WordPress and plugin logs for suspicious activities. 5. Keep WordPress core, themes, and all other plugins updated to their latest versions. 6. Use a Web Application Firewall (WAF) configured to detect and block Local File Inclusion attempts. 7. Restrict file upload capabilities and thoroughly validate all uploaded files. 8. Regularly backup your WordPress site to enable quick recovery if compromised.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7149. See article

Sep 27, 2024 at 5:35 AM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 27, 2024 at 5:35 AM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 27, 2024 at 2:01 PM
CVE Assignment

NVD published the first details for CVE-2024-7149

Sep 27, 2024 at 2:15 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Sep 27, 2024 at 2:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.9%)

Sep 28, 2024 at 9:21 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152256)

Sep 30, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Themewinter/eventin
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

News

Web Application Detections Published in October 2024
In October, Qualys released QIDs targeting vulnerabilities in several widely used software products, including WordPress, Zohocorp ManageEngine Endpoint, Lobe Chat, Ivanti Virtual Traffic Manager (vTM), Traefik, Nginx Proxy Manager, Harbor, Haproxy, SolarWinds Access Rights Manager (ARM), Cacti, Ivanti Endpoint Manager Mobile (EPMM), JetBrains TeamCity, Palo Alto Networks Expedition, Progress Telerik Report Server, Zimbra, Oracle WebLogic Server, Apache Solr, FlatPress CMS, pgAdmin, Grafana, pfSense, SolarWinds Web Help Desk, Ivanti Avalanche, ReCrystallize Server, Joomla!, and PHP. The QIDs released to detect the vulnerabilities in the frameworks above are listed below. Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. QID Title 152202 Zohocorp ManageEngine Endpoint Central Incorrect Authorization Vulnerability (CVE-2024-38868) 152206 WordPress Delicious Recipe Plugin: Arbitrary File Movement and Reading Vulnerability (CVE-2024-7626) 152207 WordPress Simple Spoiler Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2024-8479) 152209 WordPress PropertyHive Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-8490) 152210 WordPress Share This Image Plugin: Open Redirect Vulnerability (CVE-2024-8761) 152215 WordPress infolinks Ad Wrap Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-8044) 152216 WordPress Bit File Manager Plugin:
Security Bulletin 02 Oct 2024 - Cyber Security Agency of Singapore
This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing ...
Update Sat Sep 28 14:32:32 UTC 2024
Update Sat Sep 28 14:32:32 UTC 2024
CVE-2024-7149
High Severity Description The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via multiple style parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Read more at https://www.tenable.com/cve/CVE-2024-7149
CVE-2024-7149
This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Gravedad 3.1 (CVSS 3.1 Base Score)
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI