CVE-2024-54380 in WP Cookies Enabler Plugin
Summary
by MITRE • 12/16/2024
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Filippo Bodei WP Cookies Enabler allows PHP Local File Inclusion.This issue affects WP Cookies Enabler: from n/a through 1.0.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/17/2025
The CVE-2024-54380 vulnerability represents a critical path traversal flaw in the WP Cookies Enabler plugin for WordPress, specifically impacting versions prior to 1.0.2. This vulnerability falls under the Common Weakness Enumeration category CWE-22, which defines improper limitation of a pathname to a restricted directory as a fundamental security weakness. The flaw enables attackers to manipulate file path parameters in a way that allows unauthorized access to files outside the intended directory structure, creating a dangerous escalation path for potential exploitation.
The technical implementation of this vulnerability stems from inadequate input validation within the plugin's file handling mechanisms. When the WP Cookies Enabler processes user-supplied parameters, it fails to properly sanitize or restrict the pathname components that could lead to local file inclusion attacks. This occurs because the plugin does not adequately validate or filter the input before using it in file system operations, allowing malicious actors to craft specific requests that bypass normal directory restrictions. The vulnerability specifically manifests when the plugin handles cookie-related file operations, where it accepts user-controllable data without sufficient sanitization measures.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with the capability to perform PHP Local File Inclusion attacks. This means that an attacker could potentially access sensitive files on the server, including configuration files, database credentials, or other system files that should remain protected. The attack surface becomes particularly dangerous when considering that WordPress installations often contain sensitive data within their file structures, and the plugin's functionality provides a direct pathway for exploitation. The vulnerability affects the entire WordPress ecosystem where the plugin is installed, potentially compromising multiple sites if not properly addressed.
Security practitioners should implement immediate mitigations including updating to version 1.0.2 or later of the WP Cookies Enabler plugin, which contains the necessary patches to address the path traversal vulnerability. Additionally, network-level protections such as web application firewalls can provide an additional layer of defense by monitoring for suspicious file path patterns. The ATT&CK framework categorizes this type of vulnerability under T1595.001 for reconnaissance and T1059.007 for command and scripting interpreter, highlighting the potential for attackers to use this weakness as a foothold for further system compromise. Organizations should also conduct thorough security audits of their WordPress installations to identify any other plugins or themes that may be susceptible to similar path traversal vulnerabilities, ensuring comprehensive protection against this class of attack.