ByteOS Network

Vulnerability Details :

CVE-2024-3849

Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599

Published At-02 May, 2024 | 16:52

Updated At-01 Aug, 2024 | 20:26

The Click to Chat – HoliThemes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.35. This makes it possible for authenticated attackers, with contributor access or above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Wordfence

Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599

Published At:02 May, 2024 | 16:52

Updated At:01 Aug, 2024 | 20:26

▼CVE Numbering Authority (CNA)

Affected Products

Vendor

holithemes

Product

Click to Chat – HoliThemes

Default Status

unaffected

Versions

Affected

From * through 3.35 (semver)

Problem Types

Type	CWE ID	Description
N/A	N/A	CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Type: N/A

CWE ID: N/A

Description: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Metrics

Version	Base score	Base severity	Vector
3.1	8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Version: 3.1

Base score: 8.8

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Credits

finder

haidv35

Timeline

Event	Date
Disclosed	2024-04-17 00:00:00

Event: Disclosed

Date: 2024-04-17 00:00:00

References

Hyperlink	Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe25bfef-34f0-4d57-9cba-9dcbf58281c6?source=cve	N/A
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/tools/woo/class-ht-ctc-woo.php#L284	N/A
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/admin/admin_demo/class-ht-ctc-admin-demo.php#L280	N/A
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat-shortcode.php#L207	N/A
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat.php#L291	N/A
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group-shortcode.php#L160	N/A
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group.php#L118	N/A
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share-shortcode.php#L181	N/A
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share.php#L135	N/A
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/class-ccw-shortcode.php#L277	N/A
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/commons/styles.php#L93	N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072112%40click-to-chat-for-whatsapp%2Ftrunk&old=3064395%40click-to-chat-for-whatsapp%2Ftrunk&sfp_email=&sfph_mail=	N/A

Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/fe25bfef-34f0-4d57-9cba-9dcbf58281c6?source=cve

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/tools/woo/class-ht-ctc-woo.php#L284

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/admin/admin_demo/class-ht-ctc-admin-demo.php#L280

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat-shortcode.php#L207

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat.php#L291

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group-shortcode.php#L160

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group.php#L118

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share-shortcode.php#L181

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share.php#L135

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/class-ccw-shortcode.php#L277

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/commons/styles.php#L93

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072112%40click-to-chat-for-whatsapp%2Ftrunk&old=3064395%40click-to-chat-for-whatsapp%2Ftrunk&sfp_email=&sfph_mail=

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CISA ADP Vulnrichment

Metrics Other Info

2. CVE Program Container

References

Hyperlink	Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe25bfef-34f0-4d57-9cba-9dcbf58281c6?source=cve	x_transferred
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/tools/woo/class-ht-ctc-woo.php#L284	x_transferred
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/admin/admin_demo/class-ht-ctc-admin-demo.php#L280	x_transferred
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat-shortcode.php#L207	x_transferred
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat.php#L291	x_transferred
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group-shortcode.php#L160	x_transferred
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group.php#L118	x_transferred
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share-shortcode.php#L181	x_transferred
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share.php#L135	x_transferred
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/class-ccw-shortcode.php#L277	x_transferred
https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/commons/styles.php#L93	x_transferred
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072112%40click-to-chat-for-whatsapp%2Ftrunk&old=3064395%40click-to-chat-for-whatsapp%2Ftrunk&sfp_email=&sfph_mail=	x_transferred

Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/fe25bfef-34f0-4d57-9cba-9dcbf58281c6?source=cve

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/tools/woo/class-ht-ctc-woo.php#L284

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/admin/admin_demo/class-ht-ctc-admin-demo.php#L280

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat-shortcode.php#L207

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/chat/class-ht-ctc-chat.php#L291

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group-shortcode.php#L160

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/group/class-ht-ctc-group.php#L118

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share-shortcode.php#L181

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/new/inc/share/class-ht-ctc-share.php#L135

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/class-ccw-shortcode.php#L277

Resource:

x_transferred

Hyperlink: https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/3.35/prev/inc/commons/styles.php#L93

Resource:

x_transferred

Resource:

x_transferred

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security@wordfence.com

Published At:02 May, 2024 | 17:15

Updated At:02 May, 2024 | 18:00

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Type: Primary

Version: 3.1

Base score: 8.8

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H