CVE-2024-6460
published 2024-08-16CVE-2024-6460: The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.83%
90.9th percentile
The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tradedoubler | grow | < 2.0.22 | 2.0.22 |
Detection & IOCsextracted from sources · hover to see the quote
- →Successful exploitation responses will contain WordPress database credential strings such as 'DB_NAME' and 'DB_PASSWORD' in the HTTP response body, indicating wp-config.php was successfully included. ↗
- →Identify vulnerable WordPress installations by checking for the presence of the plugin path string 'wp-content/plugins/tradedoubler-affiliate-tracker/' in page body content. ↗
- →The vulnerability is unauthenticated (PR:N) and exploitable via the 'component' parameter in the AJAX action 'tm_load_data', allowing LFI without any prior authentication. ↗
- ·The LFI traversal depth (../../../../) in the PoC targets wp-config.php from within the plugin directory. Actual traversal depth may vary depending on WordPress installation path depth. ↗
- ·The vulnerability affects all versions of the Grow by Tradedoubler plugin through 2.0.21; version 2.0.22 and later are patched. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion
nuclei·CVSS 9.8
CVE-2024-6460 [CRITICAL] WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion
WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion
The Grow by Tradedoubler WordPress plugin through version 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
Template:
id: CVE-2024-6460
info:
name: WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion
author: ritikchaddha
severity: critical
description: |
The Grow by Tradedoubler WordPress plugin through version 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code i
No writeups or analysis indexed.
2024-08-16
Published