CVE-2024-8104 is a directory traversal vulnerability classified under CWE-22 found in The Ultimate WordPress Toolkit – WP Extended plugin for WordPress, affecting all versions up to and including 3.0.8. The vulnerability exists in the download_file_ajax function, which fails to properly restrict pathname inputs to a designated directory. This flaw allows authenticated users with subscriber-level privileges or higher to manipulate the file path parameter to access arbitrary files on the server's filesystem. By exploiting this, attackers can read sensitive files such as configuration files, password stores, or other critical data that should be inaccessible. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication. The CVSS v3.1 base score is 8.8, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No patches or exploits in the wild are currently reported, but the risk remains significant due to the potential for sensitive data exposure and subsequent system compromise. The vulnerability highlights the importance of input validation and proper access control in WordPress plugins handling file operations.

The exploitation of CVE-2024-8104 can have severe consequences for organizations running WordPress sites with the vulnerable plugin. Attackers can gain unauthorized access to sensitive files, potentially exposing credentials, configuration details, or other confidential data. This can lead to further attacks such as privilege escalation, lateral movement within the network, or complete system compromise. The integrity of the system can be undermined if attackers modify or replace critical files after gaining access. Availability may also be impacted if attackers disrupt normal operations or delete essential files. Given WordPress's widespread use, especially among small to medium enterprises and content-heavy websites, the vulnerability poses a significant risk to data confidentiality and operational continuity. Organizations may face reputational damage, regulatory penalties, and financial losses if exploited. The requirement for only subscriber-level privileges lowers the barrier for exploitation, increasing the threat surface.

To mitigate CVE-2024-8104, organizations should immediately update The Ultimate WordPress Toolkit – WP Extended plugin to a patched version once available. Until a patch is released, restrict access to the plugin’s functionality by limiting subscriber-level permissions or disabling the plugin if not essential. Implement web application firewall (WAF) rules to detect and block suspicious path traversal attempts targeting the download_file_ajax endpoint. Conduct thorough audits of user roles and permissions to ensure minimal privilege principles are enforced, reducing the number of users with subscriber or higher access. Monitor server logs for unusual file access patterns that may indicate exploitation attempts. Additionally, consider isolating WordPress installations and sensitive files using containerization or hardened filesystem permissions to limit the impact of potential breaches. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.