CVE-2024-7410
📋 TL;DR
The My Custom CSS PHP & ADS WordPress plugin discloses the full server path to unauthenticated attackers through direct access to a specific file. This information alone doesn't cause damage but can help attackers map the server structure for subsequent attacks. All WordPress sites using this plugin up to version 3.3 are affected.
💻 Affected Systems
- My Custom CSS PHP & ADS WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers combine path disclosure with other vulnerabilities (like file inclusion or directory traversal) to execute arbitrary code, access sensitive files, or compromise the server.
Likely Case
Attackers gather reconnaissance information about server structure to plan more targeted attacks against the WordPress installation.
If Mitigated
Minimal impact since path disclosure alone doesn't enable direct compromise, though it still provides attackers with useful reconnaissance data.
🎯 Exploit Status
Exploitation requires only a web browser or curl command to access the vulnerable file path. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/my-custom-css/trunk/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php
Restart Required: No
Instructions:
1. Update the My Custom CSS PHP & ADS plugin to version 3.4 or later via WordPress admin dashboard. 2. Verify the update completed successfully. 3. Clear any caching mechanisms if present.
🔧 Temporary Workarounds
Block direct access to vulnerable file
allAdd .htaccess rule to prevent direct access to the vulnerable PHP file
# Add to .htaccess in WordPress root directory
<Files "exportToJSON.php">
Order Allow,Deny
Deny from all
</Files>
Remove vulnerable file
linuxDelete the vulnerable file from the server
rm -f /path/to/wordpress/wp-content/plugins/my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php
🧯 If You Can't Patch
- Disable or remove the My Custom CSS PHP & ADS plugin entirely from WordPress
- Implement web application firewall rules to block requests to the vulnerable file path
🔍 How to Verify
Check if Vulnerable:
Access https://your-site.com/wp-content/plugins/my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php in a browser. If it returns server path information instead of a 403/404 error, the site is vulnerable.Check Version:
Check WordPress admin dashboard > Plugins > My Custom CSS PHP & ADS, or examine the plugin's readme.txt file version number.Verify Fix Applied:
Attempt to access the same URL after patching. It should return a 403 error or be inaccessible.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /wp-content/plugins/my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php
- Unusual number of requests to plugin directories from single IPs
Network Indicators:
- HTTP requests to the vulnerable file path returning 200 OK status with path disclosure content
SIEM Query:
source="web_server_logs" AND uri="/wp-content/plugins/my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php" AND status=200