CVE-2024-6499 – The MaxButtons WordPress plugin exposes full se... (How to Fix)

Q: What is the severity of CVE-2024-6499?

CVE-2024-6499 has a CVSS score of 5.3 (MEDIUM). The MaxButtons WordPress plugin exposes full server path information to unauthenticated attackers in versions up to 9.7.8. This information disclosure vulnerability allows attackers to gather reconnaissance data that could facilitate other attacks. All WordPress sites using vulnerable versions of the MaxButtons plugin are affected.

📋 TL;DR

The MaxButtons WordPress plugin exposes full server path information to unauthenticated attackers in versions up to 9.7.8. This information disclosure vulnerability allows attackers to gather reconnaissance data that could facilitate other attacks. All WordPress sites using vulnerable versions of the MaxButtons plugin are affected.

💻 Affected Systems

Products:

WordPress MaxButtons Plugin

Versions: All versions up to and including 9.7.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions enabled.

📦 What is this software?

Maxbuttons by Maxfoundry

View all CVEs affecting Maxbuttons →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers combine path disclosure with other vulnerabilities (like local file inclusion) to achieve remote code execution or sensitive data exposure.

🟠

Likely Case

Attackers use the path information to simplify reconnaissance and target other vulnerabilities more effectively.

🟢

If Mitigated

Limited to path disclosure only, which provides minimal useful information on its own.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to vulnerable endpoint reveals path information.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.8.0

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3140369/maxbuttons/tags/9.8.0/assets/libraries/font-awesome-5/convert.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MaxButtons plugin. 4. Click 'Update Now' if available, or manually update to version 9.8.0+. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Block access to the vulnerable convert.php file via web server configuration.

# For Apache: add to .htaccess
<Files "convert.php">
    Require all denied
</Files>
# For Nginx: add to server block
location ~* /convert\.php$ {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Disable the MaxButtons plugin entirely until patched.
Implement web application firewall rules to block requests to vulnerable endpoints.

🔍 How to Verify

Check if Vulnerable:

Access https://[your-site]/wp-content/plugins/maxbuttons/assets/libraries/font-awesome-5/convert.php - if it returns server path information, you're vulnerable.

Check Version:

Check WordPress admin panel → Plugins → MaxButtons, or examine /wp-content/plugins/maxbuttons/readme.txt file version header.

Verify Fix Applied:

After updating to 9.8.0+, access the same URL - it should return a 403 error or blank page instead of path information.

📡 Detection & Monitoring

Log Indicators:

HTTP 200 responses to /convert.php endpoints
Unusual requests to font-awesome-5 directory

Network Indicators:

GET requests to /wp-content/plugins/maxbuttons/assets/libraries/font-awesome-5/convert.php

SIEM Query:

url:*/convert.php AND (http_response_code:200 OR user_agent:*scan* OR user_agent:*curl*)

📊 Metadata

CVE ID: CVE-2024-6499

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: August 24, 2024

Last Updated: September 26, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6499, you might also want to check these: