CVE-2024-6460

Grow by Tradedoubler <= 2.0.21 - Unauthenticated LFI

CVSS 9.8 CRITICALEPSS 4.8%

Vexday Risk Score

63High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.8EPSS 4.8%KEV nãoPoC públicaNuclei simMetasploit —Patch —

Lifecycle

16 Aug 2024Published on NVD

21 Jan 2025Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Unknown · Grow by Tradedoubler

public PoCs found — 3

githubgithub.com/Nxploited/CVE-2024-6460★ 0 githubgithub.com/E1-Bot141/CVE-2024-6460★ 0 cve_referencewpscan.com/vulnerability/ba2f53e0-30be-4f37-91bc-5fa151f1eee7/unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/ba2f53e0-30be-4f37-91bc-5fa151f1eee7/