CVE-2024-54362 – This path traversal vulnerability in the GetSho... (How to Fix)

📋 TL;DR

This path traversal vulnerability in the GetShop eCommerce WordPress plugin allows attackers to access files outside the intended directory. It affects all versions up to 1.3 of the plugin, potentially exposing sensitive server files to unauthorized users.

💻 Affected Systems

Products:

GetShop eCommerce WordPress plugin

Versions: All versions up to and including 1.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the GetShop eCommerce plugin installed and activated.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files like /etc/passwd, configuration files, or source code, potentially leading to complete system compromise.

🟠

Likely Case

Unauthorized access to sensitive files within the web directory, potentially exposing database credentials, user data, or other confidential information.

🟢

If Mitigated

Limited impact with proper file permissions and web server security configurations in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of path traversal techniques but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.3

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/getshop-ecommerce/vulnerability/wordpress-getshop-ecommerce-plugin-1-3-path-traversal-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find GetShop eCommerce plugin
4. Click 'Update Now' if update available
5. If no update available, deactivate and remove the plugin

🔧 Temporary Workarounds

Disable GetShop eCommerce Plugin

WordPress

Temporarily disable the vulnerable plugin until patched version is available

wp plugin deactivate getshop-ecommerce

🧯 If You Can't Patch

Implement strict file permissions on web server directories
Configure web application firewall to block path traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for GetShop eCommerce version 1.3 or earlier

Check Version:

wp plugin get getshop-ecommerce --field=version

Verify Fix Applied:

Verify plugin version is greater than 1.3 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in web server logs
Requests containing '../' sequences or encoded equivalents

Network Indicators:

HTTP requests with path traversal sequences targeting GetShop endpoints

SIEM Query:

web_access_logs WHERE url CONTAINS '../' AND url CONTAINS 'getshop'

📊 Metadata

CVE ID: CVE-2024-54362

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-35

EPSS Score: 0.39% exploit probability (59.7th percentile)

Published: March 28, 2025

Last Updated: March 28, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/getshop-ecommerce/vulnerability/wordpress-getshop-ecommerce-plugin-1-3-path-traversal-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54362, you might also want to check these: