CVE-2024-54380 is a security vulnerability classified as an improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw, found in the WP Cookies Enabler plugin for WordPress, developed by Filippo Bodei. The vulnerability affects all versions up to and including 1.0.1. It allows an attacker to manipulate file path inputs to the plugin in such a way that the application includes unintended local files on the server through PHP Local File Inclusion (LFI). This occurs because the plugin fails to properly sanitize or restrict the pathname parameters, enabling traversal outside the intended directory scope. LFI vulnerabilities can be leveraged to read sensitive files such as configuration files, password files, or even execute arbitrary PHP code if the attacker can control the contents of included files. The vulnerability does not require authentication, making it accessible to remote attackers. Although no public exploits or active exploitation have been reported, the nature of the flaw and the widespread use of WordPress plugins make it a critical concern. The lack of an official patch at the time of publication increases the urgency for organizations to implement interim mitigations. The vulnerability was published on December 16, 2024, with no CVSS score assigned yet, but the technical details confirm its potential severity.

The impact of CVE-2024-54380 is significant for organizations using the WP Cookies Enabler plugin on their WordPress sites. Exploitation can lead to unauthorized disclosure of sensitive server files, including credentials, configuration data, and other critical information. In some cases, attackers may achieve remote code execution by including malicious files, leading to full system compromise. This can result in website defacement, data breaches, lateral movement within the network, and disruption of services. Given WordPress's popularity as a content management system, many organizations, including small businesses, e-commerce platforms, and enterprises, could be affected. The vulnerability's ease of exploitation without authentication increases the risk of automated scanning and mass exploitation attempts. Additionally, compromised sites may be used as launchpads for further attacks or to distribute malware, impacting the broader internet ecosystem. The absence of known exploits currently provides a window for proactive defense, but the risk remains high due to the potential severity of outcomes.

To mitigate CVE-2024-54380, organizations should immediately update the WP Cookies Enabler plugin to a patched version once available. Until an official patch is released, the following specific measures are recommended: 1) Restrict access to the plugin's PHP files by configuring web server rules (e.g., .htaccess or nginx configurations) to deny direct access to sensitive plugin scripts. 2) Employ a Web Application Firewall (WAF) with custom rules to detect and block path traversal patterns in HTTP requests targeting the plugin endpoints. 3) Conduct thorough input validation and sanitization on any user-supplied data related to file paths if custom code interacts with the plugin. 4) Monitor web server logs for suspicious requests containing directory traversal sequences such as '../' or encoded variants. 5) Limit file permissions on the server to prevent unauthorized reading of sensitive files by the web server user. 6) Consider temporarily disabling the plugin if it is not essential to reduce the attack surface. 7) Educate site administrators about the risks and signs of exploitation attempts. These targeted actions go beyond generic advice by focusing on access controls, monitoring, and proactive detection tailored to the vulnerability's characteristics.