Skip to main content

Droip CVE-2024-43955

CRITICAL
Path Traversal (CWE-22)
2024-08-29 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
High

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themeum Droip droip allows Path Traversal.This issue affects Droip: from n/a through < 2.5.2.

AnalysisAI

Unauthenticated path traversal in Themeum's Droip WordPress plugin (versions prior to 2.5.2) lets remote attackers read sensitive files outside the intended directory and trigger availability impact with scope change to the underlying WordPress host. CVSS rates this 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H), and while no public exploit is identified at time of analysis, the EPSS of 1.13% (78th percentile) signals meaningfully elevated exploitation interest relative to the broader CVE population.

Technical ContextAI

Droip is a visual website builder plugin for WordPress distributed by Themeum, identified by CPE cpe:2.3:a:themeum:droip:*:*:*:*:*:wordpress:*:*. The root cause is CWE-22, Improper Limitation of a Pathname to a Restricted Directory, meaning the plugin fails to canonicalize or constrain user-supplied path components before using them in filesystem operations. In WordPress plugin contexts, such flaws typically appear in AJAX handlers, REST endpoints, or admin-ajax actions that accept file or template names and concatenate them with a base directory without rejecting sequences like '../', enabling access to arbitrary paths within the web server's reach.

RemediationAI

Vendor-released patch: Droip 2.5.2 - upgrade all WordPress sites running Themeum Droip to version 2.5.2 or later as the primary fix. If upgrading immediately is not feasible, deactivate and remove the Droip plugin until patched, since the issue is reachable network-side without authentication; alternatively, place the site behind a WAF rule that blocks request parameters containing path-traversal sequences ('../', encoded variants like '%2e%2e%2f', and absolute paths) directed at Droip's AJAX/REST endpoints, accepting that overly broad rules can break legitimate template or asset requests handled by the builder. Restricting access to /wp-admin/admin-ajax.php and the plugin's REST namespace to authenticated editors via reverse-proxy ACLs is a stronger but more disruptive control, since it will break any front-end functionality that relies on those endpoints for anonymous visitors. Verify exploitation attempts and post-patch integrity by reviewing web server access logs for traversal patterns against Droip endpoints.

Share

CVE-2024-43955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy