CVE-2024-47645 is a security vulnerability classified as an improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw, found in the WordPress plugin 'Top Bar – PopUps – by WPOptin' developed by Danish Ali Malik. This vulnerability affects all versions up to and including 2.0.1. The core issue lies in insufficient validation or sanitization of user-supplied input that is used to construct file paths within the plugin's PHP code. This allows an attacker to manipulate the pathname parameter to traverse directories outside the intended restricted directory. Consequently, the attacker can perform PHP Local File Inclusion (LFI), which means they can include and potentially execute arbitrary files from the server's filesystem. This can lead to unauthorized disclosure of sensitive files such as configuration files, password stores, or source code, which may further enable privilege escalation or remote code execution if combined with other vulnerabilities. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers. No public exploits have been reported yet, but the vulnerability is published and known since October 16, 2024. The lack of a CVSS score means severity must be inferred from the nature of the vulnerability, which is significant given the direct access to local files it provides. The plugin is used in WordPress environments, which are widely deployed globally, increasing the potential attack surface.

The primary impact of CVE-2024-47645 is unauthorized disclosure of sensitive information through local file inclusion. Attackers can read arbitrary files on the web server, potentially exposing credentials, configuration details, or proprietary code. This can compromise the confidentiality and integrity of the affected systems. Additionally, the information gained may be leveraged to conduct further attacks such as remote code execution or privilege escalation, severely impacting availability and control over the affected web server. Organizations relying on the vulnerable plugin risk data breaches, website defacement, or service disruption. Since WordPress powers a significant portion of the web, especially small to medium businesses and e-commerce sites, the scope of affected systems is broad. The ease of exploitation without authentication or user interaction increases the likelihood of attacks, especially if automated scanning tools identify vulnerable sites. Although no known exploits are currently active in the wild, the publication of this vulnerability may prompt attackers to develop exploits rapidly.

To mitigate CVE-2024-47645, organizations should immediately update the 'Top Bar – PopUps – by WPOptin' plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should consider disabling or uninstalling the plugin to eliminate exposure. Web application firewalls (WAFs) can be configured to detect and block suspicious requests containing directory traversal patterns or attempts to include local files. Implement strict input validation and sanitization on all user inputs, especially those used in file path construction. Restrict file permissions on the web server to limit access to sensitive files and directories, minimizing the damage potential if exploitation occurs. Regularly audit WordPress plugins for vulnerabilities and maintain an inventory of installed components to ensure timely updates. Monitoring web server logs for unusual access patterns or errors related to file inclusion attempts can provide early detection of exploitation attempts. Employing security plugins that scan for known vulnerabilities and malicious activity can further enhance protection.