CVE-2024-50497 in Advanced Online Ordering and Delivery Platform Plugininfo

Summary

by MITRE • 10/28/2024

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wdesco Advanced Online Ordering and Delivery Platform advanced-online-ordering-and-delivery-platform allows PHP Local File Inclusion.This issue affects Advanced Online Ordering and Delivery Platform: from n/a through <= 2.0.0.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/06/2026

The CVE-2024-50497 vulnerability represents a critical PHP Remote File Inclusion flaw within the wdesco Advanced Online Ordering and Delivery Platform, specifically manifesting as an improper control of filename for include/require statements. This vulnerability falls under the broader category of PHP Local File Inclusion attacks that exploit insecure handling of file paths in PHP applications. The flaw exists in the platform's code where user-supplied input is directly incorporated into include or require statements without adequate validation or sanitization, creating an avenue for attackers to manipulate the execution flow of the application. The vulnerability affects versions from the initial release through version 2.0.0, indicating a persistent issue that has not been addressed in the software's development lifecycle.

This security weakness stems from the application's failure to properly validate or sanitize user input that is subsequently used in PHP's include or require functions. When an attacker can control the filename parameter passed to these functions, they can potentially include arbitrary local files on the server, leading to unauthorized code execution or data exposure. The vulnerability is particularly dangerous because it allows attackers to leverage legitimate file inclusion mechanisms for malicious purposes, bypassing normal security controls that would typically prevent such operations. The issue demonstrates poor input validation practices and violates fundamental security principles of least privilege and input sanitization.

The operational impact of this vulnerability is severe and multifaceted, as it provides attackers with potential access to sensitive server resources and data. Successful exploitation could enable attackers to execute arbitrary code on the affected server, potentially leading to complete system compromise, data theft, or service disruption. The vulnerability could allow unauthorized access to database credentials, user information, or other sensitive data stored on the server. Additionally, attackers might use this vulnerability to establish persistent access, deploy malware, or conduct further reconnaissance activities against the internal network. The implications extend beyond immediate data compromise to include potential regulatory compliance violations and reputational damage for organizations using the affected platform.

Mitigation strategies for this vulnerability should focus on implementing proper input validation and sanitization measures to prevent user-supplied data from being used in include/require statements. Organizations should ensure that all file inclusion operations use predefined, whitelisted values rather than dynamic user input. The recommended approach includes implementing strict input validation, using absolute paths for file inclusion, and disabling dangerous PHP functions such as allow_url_include. Additionally, applying the principle of least privilege by running the application with minimal required permissions can limit the damage from successful exploitation. Regular security audits and code reviews should be conducted to identify similar patterns and prevent future occurrences. This vulnerability aligns with CWE-98 and CWE-88 categories related to improper file inclusion and command injection, and it maps to ATT&CK techniques involving privilege escalation and persistence through code injection methods.

Responsible

Patchstack

Reservation

10/24/2024

Disclosure

10/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00510

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!