Local PHP File Inclusion Vulnerability in Swift Performance Lite Plugin for WordPress
CVE-2024-10516

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Swift Performance Lite
Vendor: CVE Published:; 6 December 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

CVE-2024-10516 identifies a critical vulnerability in the Swift Performance Lite plugin for WordPress, affecting all versions up to and including 2.3.7.1. This vulnerability allows unauthenticated attackers to exploit the 'ajaxify' function, enabling them to include and execute arbitrary files on the server. Such an attack can lead to unauthorized access to sensitive data, bypass access controls, and execute malicious PHP code through the inclusion of files that are perceived as safe, such as images. This poses a significant risk to any WordPress site using the affected plugin, necessitating immediate attention and mitigation strategies.

Affected Version(s)

Swift Performance Lite * <= 2.3.7.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10516
Created by RandomRobbieBF

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/swift-performa...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 6, 2024
👾
Exploit known to exist
Dec 6, 2024
Vulnerability published
Dec 6, 2024
Vulnerability Reserved
Oct 29, 2024

Credit

Arkadiusz Hydzik