CVE-2024-3673
Published: 30 August 2024
Summary
CVE-2024-3673 is a critical-severity an unspecified weakness vulnerability in Salephpscripts Web Directory Free. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2024-3673 is a local file inclusion flaw in the Web Directory Free WordPress plugin before version 1.7.3. The root cause is missing validation of an input parameter that is directly passed to an include() call, allowing an attacker to specify arbitrary local paths. The issue is rated 9.1 on CVSS 3.1 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H.
Because the flaw is reachable without authentication or user interaction over the network, any remote attacker can supply a crafted parameter value to read sensitive files on the server or trigger denial-of-service conditions through inclusion of unexpected resources. The single reference advisory from WPScan confirms the affected plugin versions and the parameter-handling weakness.
The current EPSS of 0.9216 indicates a high likelihood of exploitation attempts, though the score has remained flat at its recorded peak rather than showing a post-disclosure climb. No additional real-world exploitation details are provided in the source data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-32248
Vulnerability details
The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion issues.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.