CVE-2024-6164
📋 TL;DR
CVE-2024-6164 is a critical Local File Inclusion vulnerability in the Filter & Grids WordPress plugin that allows unauthenticated attackers to include and execute arbitrary PHP files on the server. This can lead to remote code execution, complete system compromise, and data theft. All WordPress sites running vulnerable versions of this plugin are affected.
💻 Affected Systems
- Filter & Grids WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover, data exfiltration, ransomware deployment, and lateral movement to other systems in the network.
Likely Case
Webshell installation leading to persistent backdoor access, credential theft, and defacement of the WordPress site.
If Mitigated
Limited impact if proper file permissions, web application firewalls, and network segmentation are in place.
🎯 Exploit Status
Exploitation requires only a single HTTP request with malicious post_layout parameter. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.33
Vendor Advisory: https://wpscan.com/vulnerability/40bd880e-67a1-4180-b197-8dcadaa0ace4/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Filter & Grids' plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 2.8.33+ from WordPress repository. 6. Deactivate and delete old plugin. 7. Upload and activate new version.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests containing malicious post_layout parameter patterns
WAF rule: Block if request_uri contains 'post_layout' with file path traversal patterns
Disable Plugin
allTemporarily disable vulnerable plugin until patched
wp plugin deactivate filter-grids
Or via WordPress admin: Plugins → Installed Plugins → Filter & Grids → Deactivate
🧯 If You Can't Patch
- Implement strict file permissions (755 for directories, 644 for files) to limit PHP file access
- Deploy web application firewall with LFI protection rules and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Filter & Grids → Version number. If version is below 2.8.33, system is vulnerable.Check Version:
wp plugin get filter-grids --field=versionVerify Fix Applied:
Confirm plugin version is 2.8.33 or higher in WordPress admin panel. Test with controlled LFI payload to ensure parameter sanitization.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'post_layout' parameter with file path traversal patterns (../../, /etc/passwd, etc.)
- Unusual PHP file accesses from web root
- Webshell creation in uploads or temp directories
Network Indicators:
- HTTP GET/POST requests to plugin endpoints with suspicious post_layout values
- Unusual outbound connections from web server post-exploitation
SIEM Query:
source="web_logs" AND (uri="*post_layout*" AND (uri="*../*" OR uri="*/etc/*" OR uri="*php://*"))