CVE-2024-9546
📋 TL;DR
The WPIDE plugin for WordPress discloses the full server path to unauthenticated attackers due to improper error handling in the PHP-Parser library. This information disclosure vulnerability affects all WordPress sites using WPIDE versions up to 3.4.9. While not directly damaging, the exposed path information can assist attackers in targeting other vulnerabilities.
💻 Affected Systems
- WPIDE – File Manager & Code Editor WordPress plugin
📦 What is this software?
Wpide by Xplodedthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers combine path disclosure with other vulnerabilities (like file inclusion or directory traversal) to achieve remote code execution or sensitive data exposure.
Likely Case
Attackers gather reconnaissance information about server structure to plan more sophisticated attacks against the WordPress installation.
If Mitigated
Minimal impact since path disclosure alone doesn't compromise systems, though it still provides attackers with useful reconnaissance.
🎯 Exploit Status
Simple HTTP requests can trigger the path disclosure. The vulnerability is well-documented with public proof-of-concept examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.0 and later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/wpide/tags/3.5.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPIDE plugin and click 'Update Now'. 4. Verify version is 3.5.0 or higher.
🔧 Temporary Workarounds
Disable WPIDE Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate wpide
Restrict Access via .htaccess
linuxBlock access to PHP-Parser files that trigger the disclosure
<Files "rebuildParsers.php">
Order Allow,Deny
Deny from all
</Files>
🧯 If You Can't Patch
- Disable or remove the WPIDE plugin completely from production systems
- Implement web application firewall rules to block requests to vulnerable PHP-Parser endpoints
🔍 How to Verify
Check if Vulnerable:
Access /wp-content/plugins/wpide/vendor/nikic/php-parser/grammar/rebuildParsers.php in browser - if it returns server path information, system is vulnerableCheck Version:
wp plugin get wpide --field=versionVerify Fix Applied:
Check WPIDE plugin version in WordPress admin shows 3.5.0 or higher, and the rebuildParsers.php endpoint no longer discloses path information📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/wpide/vendor/nikic/php-parser/grammar/rebuildParsers.php
- Unusual number of requests to PHP-Parser library files
Network Indicators:
- HTTP GET requests to rebuildParsers.php endpoint from unauthenticated sources
SIEM Query:
source="web_access_logs" AND uri="/wp-content/plugins/wpide/vendor/nikic/php-parser/grammar/rebuildParsers.php"