[email protected]CVE-2024-3849

HistoryMay 02, 2024 - 5:15 p.m.

CVE-2024-3849

2024-05-0217:15:31

[email protected]

web.nvd.nist.gov

cve-2024-3849

holithemes

local file inclusion

wordpress

authenticated attackers

access controls

sensitive data

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.2%

JSON

The Click to Chat – HoliThemes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.35. This makes it possible for authenticated attackers, with contributor access or above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affected configurations

Vulners

Node

holithemesclick_to_chatRange≤3.35

VendorProductVersionCPE
holithemesclick_to_chat*cpe:2.3:a:holithemes:click_to_chat:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
holithemes	click_to_chat	*	cpe:2.3:a:holithemes:click_to_chat::::::::

CNA Affected

[
  {
    "vendor": "holithemes",
    "product": "Click to Chat – HoliThemes",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "3.35",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/admin/admin_demo/class-ht-ctc-admin-demo.php#L280

plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat-shortcode.php#L207

plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat.php#L291

plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group-shortcode.php#L160

plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group.php#L118

plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share-shortcode.php#L181

plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share.php#L135

plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/tools/woo/class-ht-ctc-woo.php#L284

plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/class-ccw-shortcode.php#L277

plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/commons/styles.php#L93

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072112%40click-to-chat-for-whatsapp%2Ftrunk&old=3064395%40click-to-chat-for-whatsapp%2Ftrunk&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/fe25bfef-34f0-4d57-9cba-9dcbf58281c6?source=cve

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.2%

JSON

Related for CVE-2024-3849

nvd1 wpvulndb1 cvelist1 wordfence1