CVE-2024-1076: SSL Zen <= 4.5.3 - Unauthenticated Private Keys Access

6.5 CVSS

Description

The SSL Zen WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors from accessing the site's generated private keys, which allows an attacker to read them if the site runs on a server who doesn't support .htaccess files, like NGINX.

Classification

CVE ID: CVE-2024-1076

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

Problem Types

CWE-548 Exposure of Information Through Directory Listing

Affected Products

Vendor: Unknown

Product: SSL Zen

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.11% (probability of being exploited)

EPSS Percentile: 30.5% (scored less or equal to compared to others)

EPSS Date: 2025-04-23 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-1076
https://wpscan.com/vulnerability/9c3e9c72-3d6c-4e2c-bb8a-f4efce1371d5/

Timeline

2025-03-25 20:40:14 UTC
CVE

SSL Zen <= 4.5.3 - Unauthenticated Private Keys Access