CVE-2024-52447 Overview
CVE-2024-52447 is a path traversal vulnerability in the corporatezen222 Contact Page With Google Map WordPress plugin. The flaw affects all plugin versions up to and including 1.6.1. Attackers can abuse the '.../...//' traversal pattern to escape the intended directory and reach files outside the plugin scope. Successful exploitation results in arbitrary file deletion on the host filesystem. The vulnerability requires no authentication and no user interaction, and it is exploitable over the network. The issue is tracked under CWE-35 (Path Traversal: '.../...//').
Critical Impact
Unauthenticated attackers can delete arbitrary files on the WordPress server, including wp-config.php, which can trigger site takeover during the reinstallation flow.
Affected Products
- Contact Page With Google Map WordPress plugin (contact-page-with-google-map) by corporatezen222
- All versions from n/a through 1.6.1
- WordPress installations with the vulnerable plugin active
Discovery Timeline
- 2024-11-20 - CVE-2024-52447 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2024-52447
Vulnerability Analysis
The vulnerability is an arbitrary file deletion flaw triggered through path traversal sequences. The plugin accepts a filename parameter and passes it to a file deletion routine without normalizing or restricting the path. Attackers supply traversal sequences such as .../...// to escape the plugin directory. The pattern bypasses naive filters that strip a single ../ because the residual characters re-form a valid traversal token after substitution. The Exploit Prediction Scoring System places this CVE in the upper half of likely-exploited issues, reflecting the trivial attack pattern and the popularity of vulnerable WordPress plugins.
Root Cause
The plugin fails to canonicalize user-supplied path input before passing it to filesystem APIs. There is no allow-list of permitted file targets and no check that the resolved path stays within the plugin's working directory. The deletion handler is reachable without authentication, removing the only remaining barrier to exploitation.
Attack Vector
An attacker sends a crafted HTTP request to the vulnerable endpoint exposed by the plugin. The request includes a file or equivalent parameter containing .../...// sequences pointing at sensitive files such as wp-config.php, .htaccess, or theme files. The server resolves the path outside the plugin scope and deletes the file. Deleting wp-config.php forces WordPress into setup mode, which an attacker can hijack to point the installation at an attacker-controlled database and gain administrative access. Refer to the Patchstack Vulnerability Report for additional technical details.
Detection Methods for CVE-2024-52447
Indicators of Compromise
- HTTP requests to wp-admin/admin-ajax.php or plugin endpoints containing .../...//, ..%2f, or ..%5c sequences in parameter values
- Unexpected deletion of wp-config.php, .htaccess, or core WordPress files on hosts running the plugin
- WordPress instances unexpectedly returning the initial setup wizard (/wp-admin/setup-config.php)
- Web server access logs showing requests to contact-page-with-google-map endpoints from unauthenticated sources
Detection Strategies
- Inspect web server and WAF logs for traversal patterns targeting /wp-content/plugins/contact-page-with-google-map/ paths
- Monitor filesystem audit logs for unlink() operations on critical WordPress files originating from the PHP worker process
- Alert on HTTP requests that combine the plugin path with file path parameters and traversal tokens
Monitoring Recommendations
- Enable file integrity monitoring on wp-config.php, wp-content/, and root-level WordPress files
- Forward web server, PHP-FPM, and OS-level file event logs to a central data lake for correlated analysis
- Track installed plugin inventory and version metadata to flag hosts still running contact-page-with-google-map <= 1.6.1
How to Mitigate CVE-2024-52447
Immediate Actions Required
- Deactivate and remove the Contact Page With Google Map plugin until a fixed version is confirmed installed
- Audit wp-config.php, .htaccess, and plugin directories for unauthorized deletions or modifications
- Rotate WordPress database credentials and administrative account passwords if file deletion is suspected
- Restrict access to WordPress admin and AJAX endpoints by IP where operationally feasible
Patch Information
At the time of publication, no patched version is listed in the available references. Monitor the Patchstack Vulnerability Report and the plugin's WordPress.org page for an updated release beyond 1.6.1. Apply the vendor patch as soon as it becomes available.
Workarounds
- Block HTTP requests containing .../...//, ..%2f, and other traversal encodings at the WAF or reverse proxy layer
- Set restrictive filesystem permissions so the PHP process cannot delete wp-config.php or files outside wp-content/uploads/
- Replace the plugin with a maintained alternative if the project remains unpatched
# Example ModSecurity rule to block traversal attempts targeting the plugin
SecRule REQUEST_URI "@contains contact-page-with-google-map" \
"chain,id:1005247,phase:2,deny,status:403,log,msg:'CVE-2024-52447 path traversal attempt'"
SecRule ARGS "@rx \.{2,}[\\/]" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
