CVE-2024-3813PHP Remote File Inclusion in Composer

CWE-98PHP Remote File Inclusion3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.7%
top 28.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Tagdiv Composer
Timeline
PublishedJun 15

Description

The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8 via the 'td_block_title' shortcode 'block_template_id' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases wher

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5tagdiv/tagdiv_composer4.8

🔴Vulnerability Details

2
CVEList
tagDiv Composer <= 4.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode2024-06-15
GHSA
GHSA-69pp-qfw7-q7cp: The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 42024-06-15
CVE-2024-3813 — PHP Remote File Inclusion in Composer | cvebase