CVE-2024-6164
Published: 18 July 2024
Summary
CVE-2024-6164 is a critical-severity Path Traversal (CWE-22) vulnerability in Ymc-22 Filter \& Grids. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Filter & Grids WordPress plugin before version 2.8.33 contains a local file inclusion vulnerability in the post_layout parameter. The flaw is tracked as CVE-2024-6164, carries a CVSS 3.1 score of 9.8, and is classified under CWE-22. It allows an attacker to supply an arbitrary file path that the plugin will include and execute as PHP on the server.
An unauthenticated remote attacker can exploit the issue over the network without any user interaction or credentials. Successful exploitation grants the ability to run arbitrary PHP code present on the filesystem, which can lead to full site compromise including data theft, modification, or further lateral movement within the hosting environment.
The EPSS score for this CVE has remained low, with a current value of 0.0530 and a recorded peak of 0.0679. WPScan has published an advisory detailing the vulnerability at the referenced URL.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47304
Vulnerability details
The Filter & Grids WordPress plugin before 2.8.33 is vulnerable to Local File Inclusion via the post_layout parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any…
more
PHP code in those files.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.