CVE-2024-13593
📋 TL;DR
The BMLT Meeting Map WordPress plugin has a Local File Inclusion vulnerability that allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and privilege escalation. All WordPress sites using this plugin version 2.6.0 or earlier are affected.
💻 Affected Systems
- BMLT Meeting Map WordPress Plugin
📦 What is this software?
Meeting Map by Bmltenabled
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through arbitrary PHP code execution, leading to complete site takeover, data exfiltration, and lateral movement within the hosting environment.
Likely Case
Unauthorized file access leading to sensitive data exposure, privilege escalation to administrator, and backdoor installation for persistent access.
If Mitigated
Limited impact if proper file permissions restrict PHP execution in upload directories and strong access controls are in place.
🎯 Exploit Status
Exploitation requires authenticated access and ability to upload files or knowledge of existing file paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.6.1 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find BMLT Meeting Map and click 'Update Now'. 4. Verify plugin version is 2.6.1 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate bmlt-meeting-map
Restrict User Roles
allRemove Contributor and higher roles from untrusted users
🧯 If You Can't Patch
- Disable the BMLT Meeting Map plugin immediately
- Implement strict file upload restrictions and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for BMLT Meeting Map version 2.6.0 or earlierCheck Version:
wp plugin get bmlt-meeting-map --field=versionVerify Fix Applied:
Verify plugin version shows 2.6.1 or higher after update📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion attempts in web server logs
- PHP execution from unexpected file paths
- Multiple failed authentication attempts followed by successful Contributor login
Network Indicators:
- HTTP requests with suspicious file paths in parameters
- Unusual outbound connections from web server
SIEM Query:
source="web_server" AND (uri_path="*bmlt_meeting_map*" AND (query="*file=*" OR query="*include=*"))🔗 References
- https://plugins.trac.wordpress.org/browser/bmlt-meeting-map/trunk/meeting_map.php#L510
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3226454%40bmlt-meeting-map&new=3226454%40bmlt-meeting-map&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c22e5765-54bd-4677-947c-8a7c48bdf65b?source=cve
