Path Traversal Vulnerability Affects Automatic from n/a through 3.92.0
CVE-2024-27954

9.3CRITICAL

Key Information:

Vendor
WordPress
Status
Automatic
Vendor
CVE Published:
17 May 2024

Badges

🟣 EPSS 93%📰 News Worthy

Summary

The WP Automatic plugin developed by Automatic is impacted by a vulnerability that allows for improper limitation of a pathname to a restricted directory, leading to potential path traversal exploitation. This vulnerability can enable unauthorized access to files and directories that should be restricted, increasing the risk of server-side request forgery (SSRF) attacks, which can further compromise system integrity and data confidentiality. The affected versions include WP Automatic up to and including 3.92.0, highlighting the urgency for users to apply necessary patches or updates to mitigate associated risks.

Affected Version(s)

Automatic <= 3.92.0

News Articles

favicon imagePentest-Tools.com

WordPress Automatic Plugin <3.92.1 - Arbitrary File Download and SSRF (CVE-2022-1970)

WordPress Automatic plugin <3.92.1 is vulnerable to unauthenticated Arbitrary File Download and SSRF Located in the downloader.php file, could permit attackers to download any file from a site.

favicon imageGBHackers on Security

WordPress Plugin Flaw Exposes 40,000+ Websites to Cyber Attack

Automatic, developed by Valve Press, has been found to harbor critical security vulnerabilities that put over 40k websites at risk.

References

https://patchstack.com/database/vulnerability/wp-automati...
vdb-entry

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • 📰

    First article discovered by GBHackers on Security

  • Vulnerability Reserved

Credit

Rafie Muhammad (Patchstack)
.