S4E

CVE-2024-3673 Scanner

CVE-2024-3673 Scanner - Local File Inclusion vulnerability in Web Directory Free

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

12 days 22 hours

Scan only one

Domain, IPv4

Toolbox

-

Web Directory Free is a WordPress plugin used to manage web directories. It is commonly employed by webmasters and developers to create and manage comprehensive directories on websites. The plugin is well-regarded for its user-friendly interface and integrations with WordPress. It allows users to manage listings, categories, and submit forms efficiently. However, the plugin has had versions with vulnerabilities that could be exploited if not updated promptly. Webmasters using older versions of the plugin should be aware of potential security risks associated with it.

Local File Inclusion (LFI) is a type of vulnerability affecting Web Directory Free, particularly in versions before 1.7.3. This vulnerability allows attackers to include files within the server via the web browser. In the context of this plugin, the vulnerability arises because certain parameters are not properly validated before use, allowing potential access to sensitive files on the server. LFI vulnerabilities pose significant security risks as they can be leveraged to gain unauthorized access to sensitive information or execute malicious files.

The Local File Inclusion (LFI) vulnerability in Web Directory Free stems from improper validation of parameters used in include() functions. The vulnerable endpoint involves the admin-ajax.php file, which accepts user input that is not adequately sanitized. An attacker can craft requests targeting this file to include unwanted server-side files such as the /etc/passwd file on Linux systems. The vulnerability exists because of improper handling of user input, specifically in the URL parameter that is not sufficiently restricted, leading to potential exploitation.

Exploitation of this vulnerability can lead to severe consequences, including unauthorized access to sensitive system files and data. Attackers could read system files that contain information about user accounts and other critical server data. In some cases, this could also be leveraged to execute remote code or scripts on the server if combined with other vulnerabilities. The exploitation of such a vulnerability could potentially compromise the entire server, leading to data breaches and service disruptions.

REFERENCES

Get started to protecting your Free Full Security Scan