cbcvebase.
CVE-2024-10516
published 2024-12-06

CVE-2024-10516: The Swift Performance Lite plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 2.3.7.1 via the 'ajaxify'…

PriorityP266high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
6.48%
92.9th percentile
The Swift Performance Lite plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 2.3.7.1 via the 'ajaxify' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affected

1 ranges
VendorProductVersion rangeFixed in
swteswift_performance_lite<= 2.3.7.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/swift-performance-lite
commandaction=swift_performance_ajaxify&data=WyJ0ZW1wbGF0ZS1wYXJ0IiwibnVsbCIsIi4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2QiXQ==
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the parameter 'action=swift_performance_ajaxify' from unauthenticated sources.
  • Flag requests containing the 'data' parameter with base64-encoded payloads including path traversal sequences (e.g., decoded value contains '../../../../../etc/passwd') sent to the ajaxify action.
  • Successful exploitation can be confirmed if the HTTP 200 response body matches the regex 'root:.*:0:0:', indicating /etc/passwd file inclusion.
  • Identify vulnerable WordPress installations by searching for the string '/wp-content/plugins/swift-performance-lite' in HTTP response bodies (FOFA/Shodan fingerprinting).
  • ·The vulnerability is exploitable by unauthenticated attackers (no credentials required), meaning no authentication bypass is needed prior to exploitation.
  • ·The vulnerable parameter is 'ajaxify' (also referred to as the 'data' POST parameter in the PoC), processed by the 'ajaxify' function in all plugin versions up to and including 2.3.7.1.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.