CVE-2024-13374
📋 TL;DR
The WP Table Manager WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to read arbitrary file names and directories. This occurs due to a missing capability check on the wptm_getFolders AJAX action. All WordPress sites using WP Table Manager version 4.1.3 or earlier are affected.
💻 Affected Systems
- WP Table Manager WordPress Plugin
📦 What is this software?
Wp Table Manager by Joomunited
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map the entire server filesystem, discover sensitive files (config files, backups, credentials), and use this information for further attacks like data theft or privilege escalation.
Likely Case
Attackers with subscriber accounts can enumerate directory structures, potentially discovering sensitive files that could be targeted in subsequent attacks.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure about file system structure without actual file content access.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - just sending crafted AJAX requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.4 or later
Vendor Advisory: https://www.joomunited.com/wordpress-products/wp-table-manager
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Table Manager. 4. Click 'Update Now' if update available. 5. If no update shows, download version 4.1.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint via functions.php
allAdd code to theme's functions.php to remove the vulnerable AJAX action handler
add_action('init', function() { remove_action('wp_ajax_wptm_getFolders', 'wptm_getFolders'); remove_action('wp_ajax_nopriv_wptm_getFolders', 'wptm_getFolders'); });
Temporary plugin deactivation
linuxDeactivate WP Table Manager plugin until patched version is available
wp plugin deactivate wp-table-manager
🧯 If You Can't Patch
- Restrict user registration and review existing subscriber accounts for suspicious activity
- Implement web application firewall rules to block requests to wptm_getFolders AJAX endpoint
🔍 How to Verify
Check if Vulnerable:
Check WP Table Manager plugin version in WordPress admin under Plugins → Installed Plugins. If version is 4.1.3 or lower, you are vulnerable.Check Version:
wp plugin get wp-table-manager --field=versionVerify Fix Applied:
After updating, verify plugin version shows 4.1.4 or higher. Test by attempting to access the wptm_getFolders AJAX endpoint with subscriber credentials - should return permission error.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=wptm_getFolders from single user
- Unusual file path patterns in AJAX requests
Network Indicators:
- POST requests to admin-ajax.php with wptm_getFolders action from non-admin users
- Responses containing directory listings or file paths
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data CONTAINS "action=wptm_getFolders" AND user_role!="administrator"