Shariff Wrapper < 4.6.14 – Unauthenticated Local File Inclusion | CVE 2024-4098 | Plugin Vulnerabilities

Description

The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affects Plugins

Fixed in 4.6.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f49fba00-c576-4a1a-8b0b-9ebed3e3d090

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

haidv35

Verified

No

WPVDB ID

7c8bce43-e058-4421-99b8-bc5877ed8b1e

Timeline

Publicly Published

2024-06-19 (about 2 years ago)

Added

2024-06-19 (about 2 years ago)

Last Updated

2024-06-20 (about 2 years ago)

Other

Published

Title

Published

2026-05-05

Title

Fluent Forms < 6.2.2 - Admin+ Arbitrary File Read via Path Traversal

Published

2022-11-28

Title

InPost Gallery < 2.1.4.1 - Unauthenticated LFI to RCE

Published

2015-07-03

Title

Swim Team < 1.45 - Local File Inclusion

Published

2014-08-01

Title

WP Custom Pages 0.5.0.1 - LFI

Published

2014-08-01

Title

Tinymce Thumbnail Gallery < 1.1.0 - download-image.php Local File Inclusion