CVE-2024-6460
Published: 16 August 2024
Summary
CVE-2024-6460 is a critical-severity an unspecified weakness vulnerability in Tradedoubler Grow. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Grow by Tradedoubler WordPress plugin through version 2.0.21 is affected by a local file inclusion vulnerability that occurs via the component parameter. The flaw allows inclusion and execution of arbitrary PHP files present on the server, which can result in execution of any PHP code contained in those files. The issue carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers with network access can exploit the vulnerability without user interaction to read or execute files, achieving full compromise of confidentiality, integrity, and availability on the affected installation. The current EPSS score of 0.9122, with a recorded peak of 0.9206, indicates sustained exploitation interest.
The single referenced advisory at wpscan.com provides further technical detail on the issue but does not include mitigation guidance within the supplied information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47556
Vulnerability details
The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code…
more
in those files.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.