CVE-2024-39624 – This path traversal vulnerability in the Listin... (How to Fix)

Q: What is the severity of CVE-2024-39624?

CVE-2024-39624 has a CVSS score of 8.5 (HIGH). This path traversal vulnerability in the ListingPro WordPress theme allows attackers to include arbitrary local PHP files, potentially leading to remote code execution. It affects all WordPress sites using ListingPro theme versions up to 2.9.3. Attackers can exploit this without authentication to read sensitive files or execute malicious code.

📋 TL;DR

This path traversal vulnerability in the ListingPro WordPress theme allows attackers to include arbitrary local PHP files, potentially leading to remote code execution. It affects all WordPress sites using ListingPro theme versions up to 2.9.3. Attackers can exploit this without authentication to read sensitive files or execute malicious code.

💻 Affected Systems

Products:

WordPress ListingPro Theme

Versions: All versions up to and including 2.9.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with ListingPro theme active. No special configuration needed.

📦 What is this software?

Listingpro by Cridio

View all CVEs affecting Listingpro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via remote code execution, allowing attackers to install backdoors, steal data, or pivot to other systems.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited code execution within web server context.

🟢

If Mitigated

Attack blocked at WAF level or fails due to proper file permissions, resulting in no impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple path traversal payloads can trigger the vulnerability. Public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.4 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/listingpro/wordpress-listingpro-theme-2-9-3-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update ListingPro theme to version 2.9.4 or later via WordPress admin panel. 2. Verify theme files are properly updated. 3. Clear any caching mechanisms.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Block path traversal patterns at web application firewall level

Add WAF rule to block requests containing '../' patterns

Theme Deactivation

linux

Temporarily disable ListingPro theme until patched

wp theme deactivate listingpro
wp theme activate twentytwentyfour

🧯 If You Can't Patch

Implement strict file permissions (chmod 644 for PHP files, 755 for directories)
Deploy web application firewall with path traversal detection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes for ListingPro version. If version is 2.9.3 or earlier, system is vulnerable.

Check Version:

wp theme list --name=listingpro --field=version

Verify Fix Applied:

Confirm ListingPro theme version is 2.9.4 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' patterns to theme PHP files
Unusual file access attempts in web server logs

Network Indicators:

HTTP requests with path traversal payloads to /wp-content/themes/listingpro/

SIEM Query:

source="web_access.log" AND uri="*listingpro*" AND (uri="*../*" OR uri="*..%2f*")

📊 Metadata

CVE ID: CVE-2024-39624

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-22

Published: August 1, 2024

Last Updated: March 7, 2025

🔗 References

https://patchstack.com/database/vulnerability/listingpro/wordpress-listingpro-theme-2-9-3-local-file-inclusion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39624, you might also want to check these: