CVE-2024-27971
📋 TL;DR
This path traversal vulnerability in Premmerce Permalink Manager for WooCommerce allows attackers to include arbitrary PHP files from the server's filesystem, potentially leading to remote code execution. It affects all WordPress sites using this plugin from any version up to 2.3.10. Attackers can exploit this without authentication to read sensitive files or execute malicious code.
💻 Affected Systems
- Premmerce Permalink Manager for WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to internal networks.
Likely Case
Sensitive file disclosure (configuration files, database credentials) leading to data theft and potential privilege escalation to full site takeover.
If Mitigated
Limited impact if proper file permissions and web application firewalls block traversal attempts, though information disclosure may still occur.
🎯 Exploit Status
Exploitation requires minimal technical skill. Public proof-of-concept demonstrates file inclusion via crafted URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.11 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Premmerce Permalink Manager for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.3.11+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched version is available.
wp plugin deactivate woo-permalink-manager
Web Application Firewall rule
allBlock path traversal patterns in requests to the plugin.
Add WAF rule to block requests containing '../' or similar traversal sequences
🧯 If You Can't Patch
- Implement strict file permissions (755 for directories, 644 for files) to limit readable files.
- Deploy a web application firewall with path traversal protection rules.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Premmerce Permalink Manager for WooCommerce' version ≤2.3.10.Check Version:
wp plugin get woo-permalink-manager --field=versionVerify Fix Applied:
Confirm plugin version is 2.3.11 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' sequences targeting the plugin's endpoints
- Unexpected PHP file inclusion errors in web server logs
Network Indicators:
- Unusual GET/POST requests with path traversal payloads to /wp-content/plugins/woo-permalink-manager/
SIEM Query:
source="web_logs" AND (uri="*../*" AND uri="*woo-permalink-manager*")🔗 References
- https://patchstack.com/database/vulnerability/woo-permalink-manager/wordpress-premmerce-permalink-manager-for-woocommerce-plugin-2-3-10-local-file-inclusion-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/woo-permalink-manager/wordpress-premmerce-permalink-manager-for-woocommerce-plugin-2-3-10-local-file-inclusion-vulnerability?_s_id=cve
