CVE-2024-11642
Published: 09 January 2025
Summary
CVE-2024-11642 is a critical-severity Path Traversal (CWE-22) vulnerability in Addonmaster Post Grid Master. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-11642 is a local file inclusion (LFI) vulnerability, classified under CWE-22 (path traversal), affecting the Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder plugin for WordPress. The flaw exists in all versions up to and including 3.4.12 due to improper handling in the 'locate_template' function within Shortcode.php. This allows attackers to include and execute arbitrary files on the server, provided they have a .php extension, potentially leading to remote code execution.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables the inclusion of arbitrary PHP files, allowing code execution, bypass of access controls, and extraction of sensitive data. The impact is heightened in environments where users can upload images or other "safe" file types that contain embedded PHP code.
Advisories, including those from Wordfence, highlight the vulnerability and point to code changes in version 3.4.13 of the plugin, visible in the WordPress plugin trac repository, as the fix. Security practitioners should urge immediate updates to version 3.4.13 or later for affected WordPress sites running the plugin to mitigate the risk of exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34215
Vulnerability details
The Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.4.12 via…
more
the 'locate_template' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The file included must have a .php extension.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI/RCE in unauthenticated public-facing WordPress plugin directly maps to T1190 exploitation; arbitrary PHP file inclusion enables web shell deployment and execution under T1505.003.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs like file paths, directly preventing path traversal exploits in the locate_template function leading to LFI.
SI-2 mandates identification, reporting, and correction of flaws, ensuring timely patching of the vulnerable Post Grid Master plugin to version 3.4.13 or later.
RA-5 requires vulnerability scanning to identify the LFI flaw in the plugin and initiate remediation before exploitation.