CVE-2024-24869 – This path traversal vulnerability in BoldGrid T... (How to Fix)

Q: What is the severity of CVE-2024-24869?

CVE-2024-24869 has a CVSS score of 7.5 (HIGH). This path traversal vulnerability in BoldGrid Total Upkeep WordPress plugin allows attackers to download arbitrary files from the server by manipulating file paths. It affects all WordPress sites running Total Upkeep versions up to 1.15.8. Attackers can potentially access sensitive configuration files, database credentials, and other restricted content.

📋 TL;DR

This path traversal vulnerability in BoldGrid Total Upkeep WordPress plugin allows attackers to download arbitrary files from the server by manipulating file paths. It affects all WordPress sites running Total Upkeep versions up to 1.15.8. Attackers can potentially access sensitive configuration files, database credentials, and other restricted content.

💻 Affected Systems

Products:

BoldGrid Total Upkeep WordPress Plugin

Versions: n/a through 1.15.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions. No special configuration required for exploitation.

📦 What is this software?

Total Upkeep by Boldgrid

View all CVEs affecting Total Upkeep →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through retrieval of sensitive files like wp-config.php containing database credentials, leading to database takeover, code execution, or site defacement.

🟠

Likely Case

Unauthorized access to sensitive files including configuration files, logs, and backup archives, potentially exposing credentials and site data.

🟢

If Mitigated

Limited impact with proper file permissions and web server restrictions, though sensitive files may still be exposed if accessible via web user.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires minimal technical skill. Public proof-of-concept demonstrates file download capability via crafted requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15.9 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/boldgrid-backup/wordpress-total-upkeep-plugin-1-15-8-arbitrary-file-download-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find BoldGrid Total Upkeep. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.15.9+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Total Upkeep plugin until patched

wp plugin deactivate boldgrid-backup

Web Server Restrictions

all

Add web server rules to block traversal attempts

# Apache: <LocationMatch "\\.\\.\\."> Require all denied </LocationMatch>
# Nginx: location ~* \\.\\.\\. { deny all; }

🧯 If You Can't Patch

Disable the Total Upkeep plugin immediately
Implement web application firewall rules to block path traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress plugin version via admin panel or wp-content/plugins/boldgrid-backup/readme.txt

Check Version:

wp plugin get boldgrid-backup --field=version

Verify Fix Applied:

Confirm plugin version is 1.15.9 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '..' or '../' patterns to plugin endpoints
Unusual file access patterns from single IPs

Network Indicators:

Requests to /wp-content/plugins/boldgrid-backup/ with traversal sequences
Abnormal file download patterns

SIEM Query:

web.url:*boldgrid-backup* AND web.url:*..*

📊 Metadata

CVE ID: CVE-2024-24869

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: May 17, 2024

Last Updated: June 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24869, you might also want to check these: