CVE-2024-7411
📋 TL;DR
The Newsletters plugin for WordPress has a full path disclosure vulnerability that allows unauthenticated attackers to retrieve the web application's full server path. This information alone doesn't cause direct damage but can aid attackers in exploiting other vulnerabilities. All WordPress sites using Newsletters plugin version 4.9.9 or earlier are affected.
💻 Affected Systems
- WordPress Newsletters plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers combine path disclosure with another vulnerability (like file inclusion or directory traversal) to execute arbitrary code, read sensitive files, or compromise the server.
Likely Case
Attackers gather reconnaissance information about server structure to plan more sophisticated attacks against the WordPress installation.
If Mitigated
With proper web server hardening and security controls, the impact is limited to information disclosure that doesn't lead to further compromise.
🎯 Exploit Status
Exploitation requires only HTTP GET requests to the vulnerable endpoint. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.10 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3135786/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Newsletters' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.9.10+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Block direct access to vulnerable file
allAdd .htaccess rule to block access to the vulnerable PHP file
# Add to .htaccess in WordPress root directory
<Files "exportToJSON.php">
Order Allow,Deny
Deny from all
</Files>
Remove vulnerable file
linuxDelete the vulnerable file from the server
rm -f /path/to/wordpress/wp-content/plugins/newsletters/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php
🧯 If You Can't Patch
- Temporarily disable the Newsletters plugin until patching is possible
- Implement web application firewall rules to block requests to /vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php
🔍 How to Verify
Check if Vulnerable:
Visit https://your-site.com/wp-content/plugins/newsletters/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php - if it returns server path information, you're vulnerable.Check Version:
Check WordPress admin → Plugins → Newsletters plugin details page for version numberVerify Fix Applied:
After updating, visit the same URL - you should get a 403 Forbidden or 404 Not Found error instead of path disclosure.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /wp-content/plugins/newsletters/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php
- Unusual GET requests to plugin vendor directories
Network Indicators:
- HTTP requests to exportToJSON.php endpoint from unauthenticated sources
SIEM Query:
SELECT * FROM web_logs WHERE url LIKE '%/exportToJSON.php' AND response_code = 200