cbcvebase.
CVE-2024-6460
published 2024-08-16

CVE-2024-6460: The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.83%
90.9th percentile
The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

Affected

1 ranges
VendorProductVersion rangeFixed in
tradedoublergrow< 2.0.222.0.22

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=tm_load_data&component=../../../../wp-config.php
path/wp-content/plugins/tradedoubler-affiliate-tracker/
  • Successful exploitation responses will contain WordPress database credential strings such as 'DB_NAME' and 'DB_PASSWORD' in the HTTP response body, indicating wp-config.php was successfully included.
  • Identify vulnerable WordPress installations by checking for the presence of the plugin path string 'wp-content/plugins/tradedoubler-affiliate-tracker/' in page body content.
  • The vulnerability is unauthenticated (PR:N) and exploitable via the 'component' parameter in the AJAX action 'tm_load_data', allowing LFI without any prior authentication.
  • ·The LFI traversal depth (../../../../) in the PoC targets wp-config.php from within the plugin directory. Actual traversal depth may vary depending on WordPress installation path depth.
  • ·The vulnerability affects all versions of the Grow by Tradedoubler plugin through 2.0.21; version 2.0.22 and later are patched.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.