CVE-2024-52428
Published: 18 November 2024
Summary
CVE-2024-52428 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Scripteo Ads Booster By Ads Pro. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a PHP Local File Inclusion issue (CWE-98) stemming from improper control of filenames in include/require statements. It affects the Ads Booster by Ads Pro WordPress plugin (free-wp-booster-by-ads-pro) in versions up to and including 1.12.
An unauthenticated remote attacker can exploit the flaw over the network, albeit with elevated attack complexity, to include arbitrary local files. Successful exploitation can yield full control over confidentiality, integrity, and availability on the affected site, as reflected in the CVSS 8.1 vector.
The sole reference points to a Patchstack advisory entry that catalogs the issue for the plugin; no further mitigation details such as patch availability or configuration guidance are supplied in the source data. The associated EPSS scores remain low and essentially flat, indicating no notable surge in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45913
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Peter Ads Booster by Ads Pro free-wp-booster-by-ads-pro allows PHP Local File Inclusion.This issue affects Ads Booster by Ads Pro: from n/a through <= 1.12.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.