CVE-2024-12859
📋 TL;DR
The BoomBox Theme Extensions plugin for WordPress has a Local File Inclusion vulnerability that allows authenticated attackers with contributor-level permissions or higher to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and access control bypass. All WordPress sites using this plugin up to version 1.8.0 are affected.
💻 Affected Systems
- BoomBox Theme Extensions WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through arbitrary PHP code execution, leading to data exfiltration, website defacement, backdoor installation, and lateral movement within the hosting environment.
Likely Case
Unauthorized access to sensitive files, privilege escalation to administrator, and installation of web shells or malware on vulnerable WordPress sites.
If Mitigated
Limited impact if proper file upload restrictions and server hardening are in place, though sensitive file disclosure may still occur.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable shortcode parameter. Attackers need to be able to create or edit posts/pages with the vulnerable shortcode.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.8.0
Vendor Advisory: https://documentation.px-lab.com/boombox/changelog/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'BoomBox Theme Extensions'. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download latest version from vendor and replace plugin files.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily remove contributor-level permissions from untrusted users until patch is applied.
Disable Plugin
allDeactivate the BoomBox Theme Extensions plugin if not essential for site functionality.
🧯 If You Can't Patch
- Implement strict file upload restrictions to prevent PHP file uploads
- Apply WordPress hardening measures including disabling file editing, restricting plugin/theme installation, and implementing web application firewall rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for BoomBox Theme Extensions version 1.8.0 or earlier.Check Version:
wp plugin list --name='boombox-theme-extensions' --field=versionVerify Fix Applied:
Verify plugin version is higher than 1.8.0 after update. Test that the 'boombox_listing' shortcode no longer accepts arbitrary file paths in the 'type' parameter.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing 'boombox_listing' shortcode with file paths in 'type' parameter
- Multiple failed attempts to access system files via WordPress
Network Indicators:
- HTTP requests with unusual file paths in shortcode parameters
- Traffic patterns suggesting file inclusion attempts
SIEM Query:
source="wordpress" AND (uri_path="*/wp-admin/*" OR uri_path="*/wp-json/*") AND (request_body LIKE "%boombox_listing%" AND request_body LIKE "%type=%")