cbcvebase.
CVE-2024-3673
published 2024-08-30

CVE-2024-3673: The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion…

PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EXPLOIT
EPSS
5.58%
91.9th percentile
The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion issues.

Affected

1 ranges
VendorProductVersion rangeFixed in
salephpscriptsweb_directory_free< 1.7.31.7.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/web-directory-free
commandfrom_set_ajax=1&action=w2dc_controller_request&template=../../../../../etc/passwd
yara
rule CVE_2024_3673_LFI { strings: $s1 = "from_set_ajax=1" $s2 = "action=w2dc_controller_request" $s3 = "template=" condition: all of them }
  • Look for POST requests to /wp-admin/admin-ajax.php containing the parameters 'from_set_ajax=1', 'action=w2dc_controller_request', and a 'template' parameter with path traversal sequences (e.g., '../').
  • Successful exploitation returns HTTP 200 with content-type text/html and a response body matching the pattern 'root:.*:0:0:' (contents of /etc/passwd), indicating successful Local File Inclusion.
  • Fingerprint vulnerable hosts by checking for the string '/wp-content/plugins/web-directory-free' in the HTTP response body of the target's homepage.
  • The attack is unauthenticated (no credentials required) and exploits the 'template' parameter passed to PHP's include() without validation in the Web Directory Free plugin before version 1.7.3.
  • ·The exploit requires the target site to have the Web Directory Free plugin installed and active (version < 1.7.3). The Nuclei template first confirms plugin presence before attempting exploitation.
  • ·EPSS score is extremely high (0.92053, 99.7th percentile), indicating this vulnerability is very likely being actively exploited in the wild.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.