CVE-2024-3673 Scanner
CVE-2024-3673 Scanner - Local File Inclusion vulnerability in Web Directory Free
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
12 days 22 hours
Scan only one
Domain, IPv4
Toolbox
-
Web Directory Free is a WordPress plugin used to manage web directories. It is commonly employed by webmasters and developers to create and manage comprehensive directories on websites. The plugin is well-regarded for its user-friendly interface and integrations with WordPress. It allows users to manage listings, categories, and submit forms efficiently. However, the plugin has had versions with vulnerabilities that could be exploited if not updated promptly. Webmasters using older versions of the plugin should be aware of potential security risks associated with it.
Local File Inclusion (LFI) is a type of vulnerability affecting Web Directory Free, particularly in versions before 1.7.3. This vulnerability allows attackers to include files within the server via the web browser. In the context of this plugin, the vulnerability arises because certain parameters are not properly validated before use, allowing potential access to sensitive files on the server. LFI vulnerabilities pose significant security risks as they can be leveraged to gain unauthorized access to sensitive information or execute malicious files.
The Local File Inclusion (LFI) vulnerability in Web Directory Free stems from improper validation of parameters used in include() functions. The vulnerable endpoint involves the admin-ajax.php file, which accepts user input that is not adequately sanitized. An attacker can craft requests targeting this file to include unwanted server-side files such as the /etc/passwd file on Linux systems. The vulnerability exists because of improper handling of user input, specifically in the URL parameter that is not sufficiently restricted, leading to potential exploitation.
Exploitation of this vulnerability can lead to severe consequences, including unauthorized access to sensitive system files and data. Attackers could read system files that contain information about user accounts and other critical server data. In some cases, this could also be leveraged to execute remote code or scripts on the server if combined with other vulnerabilities. The exploitation of such a vulnerability could potentially compromise the entire server, leading to data breaches and service disruptions.
REFERENCES