CVE-2024-3849

Published May 2, 2024

Last updated 6 months ago

CVSS high 8.8

Overview

Description: The Click to Chat – HoliThemes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.35. This makes it possible for authenticated attackers, with contributor access or above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Source: security@wordfence.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Hype score: Not currently trending

References

https://nvd.nist.gov/vuln/detail/CVE-2024-3849
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/admin/admin_demo/class-ht-ctc-admin-demo.php#L280
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat-shortcode.php#L207
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat.php#L291
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group-shortcode.php#L160
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group.php#L118
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share-shortcode.php#L181
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share.php#L135
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/tools/woo/class-ht-ctc-woo.php#L284
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/class-ccw-shortcode.php#L277
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/commons/styles.php#L93
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072112%40click-to-chat-for-whatsapp%2Ftrunk&old=3064395%40click-to-chat-for-whatsapp%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe25bfef-34f0-4d57-9cba-9dcbf58281c6?source=cve

Overview

Risk scores

CVSS 3.1

Social media

References