CVE-2024-6547
📋 TL;DR
The Add Admin CSS WordPress plugin discloses full server path information to unauthenticated attackers in versions up to 2.0.1. This occurs because test files with display_errors enabled remain accessible. While the path disclosure alone doesn't cause direct damage, it can help attackers map the server structure for subsequent attacks.
💻 Affected Systems
- WordPress Add Admin CSS plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers combine path disclosure with other vulnerabilities (like file inclusion or directory traversal) to execute arbitrary code, access sensitive files, or compromise the WordPress installation.
Likely Case
Attackers gather reconnaissance information about server structure to plan more sophisticated attacks, potentially leading to information disclosure that aids in targeted exploitation.
If Mitigated
Limited to information disclosure only, with no direct system compromise if other vulnerabilities are properly patched and security controls are in place.
🎯 Exploit Status
Exploitation requires accessing specific test files that disclose error messages with full paths. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.0.1
Vendor Advisory: https://plugins.trac.wordpress.org/browser/add-admin-css/trunk/tests/phpunit/bootstrap.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Add Admin CSS' plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install latest version from WordPress repository.
🔧 Temporary Workarounds
Remove test files manually
linuxDelete the vulnerable test files from the plugin directory to prevent path disclosure.
rm -rf /path/to/wordpress/wp-content/plugins/add-admin-css/tests/
Disable error display
allConfigure PHP to not display errors in production environments.
php_value display_errors Off in .htaccess or php.ini
🧯 If You Can't Patch
- Deactivate and remove the Add Admin CSS plugin entirely from WordPress.
- Implement web application firewall rules to block access to /tests/ directory paths.
🔍 How to Verify
Check if Vulnerable:
Access http://your-site.com/wp-content/plugins/add-admin-css/tests/phpunit/bootstrap.php and check if full server path is disclosed in error messages.Check Version:
Check WordPress admin panel > Plugins > Add Admin CSS, or examine /wp-content/plugins/add-admin-css/readme.txt file version header.Verify Fix Applied:
After updating, attempt to access the test file URL again - it should return 404 or not disclose path information.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 requests to /wp-content/plugins/add-admin-css/tests/ paths
- Error logs containing full server path disclosures
Network Indicators:
- Unusual GET requests to plugin test directories from external IPs
SIEM Query:
source="web_access_logs" AND uri_path="/wp-content/plugins/add-admin-css/tests/" AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/add-admin-css/trunk/tests/phpunit/bootstrap.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0064244b-72a4-486d-aaad-be1f57e4a8a1?source=cve
- https://plugins.trac.wordpress.org/browser/add-admin-css/trunk/tests/phpunit/bootstrap.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0064244b-72a4-486d-aaad-be1f57e4a8a1?source=cve
