CVE-2024-6553 – The WP Meteor Website Speed Optimization Addon ... (How to Fix)

Q: What is the severity of CVE-2024-6553?

CVE-2024-6553 has a CVSS score of 5.3 (MEDIUM). The WP Meteor Website Speed Optimization Addon plugin for WordPress versions up to 3.4.3 contains a full path disclosure vulnerability. Unauthenticated attackers can retrieve the web application's full file system path, which can aid in exploiting other vulnerabilities. This affects all WordPress sites using the vulnerable plugin versions.

📋 TL;DR

The WP Meteor Website Speed Optimization Addon plugin for WordPress versions up to 3.4.3 contains a full path disclosure vulnerability. Unauthenticated attackers can retrieve the web application's full file system path, which can aid in exploiting other vulnerabilities. This affects all WordPress sites using the vulnerable plugin versions.

💻 Affected Systems

Products:

WP Meteor Website Speed Optimization Addon for WordPress

Versions: All versions up to and including 3.4.3

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version installed and activated.

📦 What is this software?

Wp Meteor by Wp Meteor

View all CVEs affecting Wp Meteor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full path disclosure combined with another vulnerability could lead to remote code execution, data theft, or complete site compromise.

🟠

Likely Case

Attackers gather reconnaissance information to facilitate more targeted attacks against the WordPress installation.

🟢

If Mitigated

Path information is exposed but cannot be leveraged without additional vulnerabilities.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires accessing specific test files left by the plugin with display_errors enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.4

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3117899%40wp-meteor&new=3117899%40wp-meteor&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Meteor and click 'Update Now'. 4. Verify version is 3.4.4 or higher.

🔧 Temporary Workarounds

Remove test files manually

linux

Delete the test files left by the wpdesk framework that have display_errors enabled

find /path/to/wordpress/wp-content/plugins/wp-meteor -name "*test*" -type f -delete
find /path/to/wordpress/wp-content/plugins/wp-meteor -name "*.php" -exec grep -l "display_errors" {} \; -delete

🧯 If You Can't Patch

Disable the WP Meteor plugin temporarily
Implement web application firewall rules to block access to test file paths

🔍 How to Verify

Check if Vulnerable:

Check if WP Meteor plugin version is 3.4.3 or lower in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin list --name=wp-meteor --field=version

Verify Fix Applied:

Verify plugin version is 3.4.4 or higher and test that accessing /wp-content/plugins/wp-meteor/test files returns 404 errors

📡 Detection & Monitoring

Log Indicators:

HTTP requests to paths containing '/wp-content/plugins/wp-meteor/test'
HTTP 200 responses with full server path information in body

Network Indicators:

Unusual GET requests to plugin test file paths from external IPs

SIEM Query:

source="web_access_logs" AND uri="/wp-content/plugins/wp-meteor/*test*" AND status=200

📊 Metadata

CVE ID: CVE-2024-6553

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: July 24, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6553, you might also want to check these: