Plattform
wordpress
Komponente
addon-elements-for-elementor-page-builder
Behoben in
1.12.13
CVE-2024-1358 is a Directory Traversal vulnerability affecting the Elementor Addon Elements plugin for WordPress. An authenticated attacker, possessing contributor access or higher, can leverage this flaw to include arbitrary PHP files on the server. This vulnerability impacts versions up to and including 1.12.12. A patch is available from the vendor.
The Directory Traversal vulnerability in Elementor Addon Elements allows an authenticated attacker to read arbitrary files on the server. This is achieved by manipulating the render function to include files outside of the intended directory. Successful exploitation could expose sensitive configuration files, database credentials, or even source code. The impact is particularly severe if the server hosts other sensitive applications or data. While the vulnerability requires authentication, the relatively low access requirements (contributor role) broaden the potential attack surface.
CVE-2024-1358 was publicly disclosed on March 13, 2024. No public proof-of-concept (POC) code has been widely released at the time of writing, but the vulnerability's nature makes it likely that POCs will emerge. The EPSS score is currently pending evaluation. It is not listed on the CISA KEV catalog.
WordPress sites using the Elementor Addon Elements plugin, particularly those with contributor-level users or higher, are at risk. Shared hosting environments where users have limited control over server file permissions are especially vulnerable. Sites with outdated plugin versions are also at increased risk.
• wordpress / composer / npm:
grep -r "render function" /var/www/html/wp-content/plugins/elementor-addon-elements/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/elementor-addon-elements/some_file.php | grep "PHP/" # Check for PHP file exposuredisclosure
Exploit-Status
EPSS
2.61% (86% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-1358 is to upgrade the Elementor Addon Elements plugin to a version newer than 1.12.12, as the vendor has released a patch. If immediate upgrading is not possible, consider restricting file permissions on the server to limit the attacker's ability to read sensitive files. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can provide an additional layer of defense. Monitor WordPress logs for suspicious file inclusion attempts.
Actualice el plugin Elementor Addon Elements a la última versión disponible. La vulnerabilidad de recorrido de directorios permite la inclusión de archivos PHP arbitrarios, lo que podría exponer información sensible. La actualización corrige esta vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-1358 is a Directory Traversal vulnerability in the Elementor Addon Elements WordPress plugin, allowing authenticated attackers to include arbitrary PHP files.
You are affected if you are using Elementor Addon Elements version 1.12.12 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Elementor Addon Elements plugin to the latest version, which contains a patch for this vulnerability. If immediate upgrade is not possible, restrict file access permissions.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation makes it a likely target. Monitor your systems for suspicious activity.
Refer to the Elementor security advisory for detailed information and updates: [https://elementor.com/security/](https://elementor.com/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.