CVE-2024-8352

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Oct 3, 2024 / Updated: 48d ago

010
CVSS 7.5EPSS 0.06%High
CVE info copied to clipboard

Summary

The Social Web Suite – Social Media Auto Post, Social Media Auto Publish plugin for WordPress contains a Directory Traversal vulnerability in all versions up to and including 4.1.11. This vulnerability is present in the download_log function and allows unauthenticated attackers to read the contents of arbitrary files on the server.

Impact

This vulnerability enables unauthenticated attackers to access and read arbitrary files on the server, potentially exposing sensitive information. The CVSS v3.1 base score is 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates a high confidentiality impact, with no impact on integrity or availability. The attack vector is network-based, requires low complexity, no privileges, and no user interaction.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in version 4.1.12 of the Social Web Suite plugin. The patch was added on October 8, 2024, and can be found at the WordPress plugin repository.

Mitigation

1. Update the Social Web Suite – Social Media Auto Post, Social Media Auto Publish plugin to version 4.1.12 or later immediately. 2. If immediate updating is not possible, consider temporarily disabling the plugin until the update can be applied. 3. Implement strong access controls and input validation mechanisms to prevent unauthorized access to sensitive files. 4. Regularly audit and monitor server logs for any suspicious file access attempts. 5. Apply the principle of least privilege to all WordPress installations and associated plugins.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8352. See article

Oct 2, 2024 at 7:30 PM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 2, 2024 at 7:30 PM
CVE Assignment

NVD published the first details for CVE-2024-8352

Oct 3, 2024 at 4:15 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 3, 2024 at 4:15 AM / nvd
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 3, 2024 at 4:36 AM
EPSS

EPSS Score was set to: 0.06% (Percentile: 28.9%)

Oct 3, 2024 at 10:10 AM
Static CVE Timeline Graph

Affected Systems

Hypestudio/social_web_suite
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

News

Web Application Detections Published in October 2024
In October, Qualys released QIDs targeting vulnerabilities in several widely used software products, including WordPress, Zohocorp ManageEngine Endpoint, Lobe Chat, Ivanti Virtual Traffic Manager (vTM), Traefik, Nginx Proxy Manager, Harbor, Haproxy, SolarWinds Access Rights Manager (ARM), Cacti, Ivanti Endpoint Manager Mobile (EPMM), JetBrains TeamCity, Palo Alto Networks Expedition, Progress Telerik Report Server, Zimbra, Oracle WebLogic Server, Apache Solr, FlatPress CMS, pgAdmin, Grafana, pfSense, SolarWinds Web Help Desk, Ivanti Avalanche, ReCrystallize Server, Joomla!, and PHP. The QIDs released to detect the vulnerabilities in the frameworks above are listed below. Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. QID Title 152202 Zohocorp ManageEngine Endpoint Central Incorrect Authorization Vulnerability (CVE-2024-38868) 152206 WordPress Delicious Recipe Plugin: Arbitrary File Movement and Reading Vulnerability (CVE-2024-7626) 152207 WordPress Simple Spoiler Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2024-8479) 152209 WordPress PropertyHive Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-8490) 152210 WordPress Share This Image Plugin: Open Redirect Vulnerability (CVE-2024-8761) 152215 WordPress infolinks Ad Wrap Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-8044) 152216 WordPress Bit File Manager Plugin:
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024)
All in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers WordPress Plugins with Reported Vulnerabilities Last Week
cveNotify : 🚨 CVE-2024-8352The Social Web Suite – Social Media Auto Post, Social Media Auto Publish plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.1.11 via the download_log function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.🎖@cveNotify
cveNotify : 🚨 CVE-2024-8352The Social Web Suite – Social Media Auto Post, Social Media Auto Publish plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.1.11 via the download_log function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.🎖@cveNotify
CVE Alert: CVE-2024-8352 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-8352/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_8352
CVE-2024-8352
High Severity Description The Social Web Suite – Social Media Auto Post, Social Media Auto Publish plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.1.11 via the download_log function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Read more at https://www.tenable.com/cve/CVE-2024-8352
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI