CVE-2024-37454 – This path traversal vulnerability in the AWSM T... (How to Fix)

Q: What is the severity of CVE-2024-37454?

CVE-2024-37454 has a CVSS score of 6.5 (MEDIUM). This path traversal vulnerability in the AWSM Team WordPress plugin allows attackers to read arbitrary files on the server by manipulating file paths. It affects all WordPress sites running AWSM Team plugin versions up to 1.3.1. The vulnerability enables local file inclusion attacks that can expose sensitive server data.

📋 TL;DR

This path traversal vulnerability in the AWSM Team WordPress plugin allows attackers to read arbitrary files on the server by manipulating file paths. It affects all WordPress sites running AWSM Team plugin versions up to 1.3.1. The vulnerability enables local file inclusion attacks that can expose sensitive server data.

💻 Affected Systems

Products:

AWSM Team - Team Showcase Plugin for WordPress

Versions: All versions up to and including 1.3.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version enabled.

📦 What is this software?

Awsm Team by Awsm

View all CVEs affecting Awsm Team →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files like /etc/passwd, configuration files, or database credentials, potentially leading to full system compromise through credential theft or further exploitation.

🟠

Likely Case

Unauthenticated attackers reading WordPress configuration files (wp-config.php) containing database credentials, leading to database compromise and potential site takeover.

🟢

If Mitigated

Limited file access restricted to web-accessible directories only, preventing exposure of critical system files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple path traversal payloads can be used without authentication. Public exploit details are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.2 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/awsm-team/wordpress-awsm-team-team-showcase-plugin-plugin-1-3-1-local-file-inclusion-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'AWSM Team - Team Showcase'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.3.2+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate awsm-team

Web Application Firewall Rule

all

Block path traversal patterns in requests

Add WAF rule: Block requests containing '../' or '..\' patterns

🧯 If You Can't Patch

Remove the AWSM Team plugin completely if patching is not possible
Implement strict file permission controls and disable directory listing on the web server

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → AWSM Team version. If version is 1.3.1 or lower, you are vulnerable.

Check Version:

wp plugin get awsm-team --field=version

Verify Fix Applied:

Confirm plugin version is 1.3.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' patterns to plugin endpoints
Unusual file access attempts in web server logs

Network Indicators:

GET requests with path traversal sequences to /wp-content/plugins/awsm-team/

SIEM Query:

web.url:*../* AND web.url:*awsm-team*

📊 Metadata

CVE ID: CVE-2024-37454

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: July 9, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37454, you might also want to check these: