THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2024-4098

Shariff Wrapper <= 4.6.13 - Unauthenticated Local File Inclusion

Assigner:Wordfence
Reserved:2024-04-23
Published:2024-06-20
Updated:2024-06-20

Description

The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.



CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

*
affected

Timeline

2024-06-19:Disclosed

Credits

haidv35 finder

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f49fba00-c576-4a1a-8b0b-9ebed3e3d090?source=cve

https://plugins.trac.wordpress.org/browser/shariff/trunk/shariff.php#L410

https://plugins.trac.wordpress.org/changeset/3103137

cve.org CVE-2024-4098

nvd.nist.gov CVE-2024-4098

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-4098
Find us on
Data Privacy
Terms of Use
Logo Silicon Valley Europe
Logo BSI Allianz für Cyber-Sicherheit