Login Sign Up

CVE-2024-49286

9.6 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

This path traversal vulnerability in the SSV Events WordPress plugin allows attackers to include arbitrary local PHP files, potentially leading to remote code execution. All WordPress sites running SSV Events version 3.2.7 or earlier are affected. The vulnerability requires no authentication to exploit.

💻 Affected Systems

Products:
  • WordPress SSV Events Plugin
Versions: n/a through 3.2.7
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Ssv Events by Moridrin

View all CVEs affecting Ssv Events →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through remote code execution, allowing attackers to install backdoors, steal data, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to website defacement, data theft, or cryptocurrency mining malware installation.

🟢

If Mitigated

Limited file disclosure if PHP execution is restricted, but sensitive file contents could still be exposed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is trivial with publicly available proof-of-concept code. The vulnerability requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.2.7

Vendor Advisory: https://patchstack.com/database/vulnerability/ssv-events/wordpress-ssv-events-plugin-3-2-7-local-file-inclusion-to-rce-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find SSV Events and update to latest version. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Disable SSV Events Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate ssv-events

Restrict PHP File Access

linux

Add .htaccess rules to block direct access to plugin PHP files

<Files "*.php">
    Order Allow,Deny
    Deny from all
</Files>

🧯 If You Can't Patch

  • Immediately disable the SSV Events plugin via WordPress admin or command line
  • Implement web application firewall rules to block path traversal patterns and LFI attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for SSV Events version 3.2.7 or earlier

Check Version:

wp plugin get ssv-events --field=version

Verify Fix Applied:

Verify SSV Events plugin version is higher than 3.2.7 in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '../' patterns to SSV Events plugin files
  • Unusual file inclusion attempts in web server logs
  • Multiple 200 OK responses to PHP file requests that shouldn't be accessible

Network Indicators:

  • HTTP requests with path traversal sequences (../, ..\, %2e%2e%2f)
  • Requests to SSV Events plugin files with unusual parameters

SIEM Query:

source="web_server_logs" AND (uri="*ssv-events*" AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*"))

📊 Metadata

CVE ID: CVE-2024-49286
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-22
Published: October 20, 2024
Last Updated: October 23, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49286, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)