CVE-2024-12209 Scanner
CVE-2024-12209 Scanner - Local File Inclusion vulnerability in WP Umbrella
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
11 days 10 hours
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
The WP Umbrella plugin for WordPress is a tool used for managing backup, restore, and monitoring tasks in WordPress environments. It allows administrators to automate and schedule backups, monitor plugin health, and restore previous backup states. However, the plugin has a security flaw that can be exploited by attackers. The vulnerability is present in all versions up to and including 2.17.0, where improper handling of user inputs allows attackers to perform local file inclusion attacks. This flaw could allow attackers to compromise the integrity of the server hosting WordPress.
The vulnerability lies in the WP Umbrella plugin, where an attacker can exploit the 'filename' parameter in the 'umbrella-restore' action to perform a local file inclusion (LFI). This happens because the parameter is not properly sanitized, allowing attackers to craft a request that can include arbitrary files from the server. In this scenario, attackers can access sensitive files like '/etc/passwd', leading to serious security breaches. The LFI vulnerability can lead to code execution if attackers upload malicious files that get included on the server. This vulnerability is exploitable without authentication, making it highly dangerous.
The WP Umbrella plugin's 'umbrella-restore' action is vulnerable to LFI via the 'filename' parameter. Attackers can manipulate this parameter to include sensitive system files such as '/etc/passwd'. The plugin fails to validate and sanitize the user input properly, which allows attackers to traverse directories and execute arbitrary files. The issue occurs in all versions of the plugin up to and including 2.17.0. The exploited file inclusion can lead to code execution when malicious files are included or bypass access controls. An attacker only needs to send a crafted HTTP request to exploit the vulnerability.
If the vulnerability is exploited, attackers can include arbitrary files, which can be used to execute arbitrary PHP code on the server. This could allow attackers to bypass authentication controls and gain unauthorized access to sensitive information, such as system files. It may also lead to full server compromise if the attacker successfully uploads and includes a web shell or malicious PHP file. The exploitability of this vulnerability is compounded by the fact that it can be performed by unauthenticated users, making it particularly severe. In worst-case scenarios, this could result in a full takeover of the affected WordPress site and server.
REFERENCES
- https://github.com/RandomRobbieBF/CVE-2024-12209
- https://plugins.trac.wordpress.org/browser/wp-health/tags/v2.16.4/src/Actions/RestoreRouter.php#L45
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3202883%40wp-health&new=3202883%40wp-health&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c74ce3e8-cab9-4cc6-a1ad-1e51f7268474?source=cve
