CVE-2024-5577

14.06.2024, 08:15

The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. This makes it possible for unauthenticated attackers to include and execute arbitrary files hosted on external servers, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. This requires allow_url_include to be set to true in order to exploit, which is not commonly enabled.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Wordfence	CNA	9.8 CRITICAL				CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 92%

References

https://plugins.trac.wordpress.org/browser/where-i-was-where-i-will-be/trunk/system/include/include_user.php

https://www.wordfence.com/threat-intel/vulnerabilities/id/68e0f54d-08ec-4e41-ac9b-d72cdde5a724?source=cve

https://plugins.trac.wordpress.org/browser/where-i-was-where-i-will-be/trunk/system/include/include_user.php

https://www.wordfence.com/threat-intel/vulnerabilities/id/68e0f54d-08ec-4e41-ac9b-d72cdde5a724?source=cve