Plattform
wordpress
Komponente
ht-mega-for-elementor
Behoben in
2.4.7
CVE-2024-1974 describes a Directory Traversal vulnerability discovered in the HT Mega – Absolute Addons For Elementor plugin for WordPress. This vulnerability allows authenticated attackers, possessing contributor access or higher, to read arbitrary files on the server. The vulnerability impacts versions of the plugin up to and including 2.4.6. A patch has been released in version 2.4.7.
The Directory Traversal vulnerability in HT Mega allows an attacker who has authenticated access (contributor role or higher) to bypass intended file system restrictions. By manipulating the render function, an attacker can construct malicious requests that lead to the disclosure of sensitive files. This could include configuration files containing database credentials, private keys, or other confidential information. The potential blast radius extends to any data accessible by the web server process. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the underlying server.
CVE-2024-1974 was publicly disclosed on April 9, 2024. A public proof-of-concept is likely to emerge given the ease of exploitation and the plugin's popularity. The vulnerability is not currently listed on the CISA KEV catalog, but its HIGH severity warrants monitoring. Active exploitation campaigns are possible, particularly targeting vulnerable WordPress sites with known contributor accounts.
WordPress websites utilizing the HT Mega – Absolute Addons For Elementor plugin, particularly those with contributor-level users or higher, are at risk. Shared hosting environments where file permissions are not tightly controlled are especially vulnerable, as an attacker could potentially leverage this vulnerability to access files belonging to other users on the same server.
• wordpress / composer / npm:
grep -r "render function" /var/www/html/wp-content/plugins/ht-mega-addons-for-elementor/• generic web:
curl -I https://example.com/wp-content/uploads/sensitive_file.txt # Attempt to access a known sensitive file• wordpress / composer / npm:
wp plugin list | grep "ht-mega-addons-for-elementor"• wordpress / composer / npm:
wp plugin update ht-mega-addons-for-elementordisclosure
Exploit-Status
EPSS
2.61% (86% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-1974 is to immediately upgrade the HT Mega – Absolute Addons For Elementor plugin to version 2.4.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file access permissions on the server to limit the potential impact of a successful attack. Implement a Web Application Firewall (WAF) with rules to block suspicious file access attempts targeting the render function. Monitor WordPress access logs for unusual file requests and patterns indicative of directory traversal attempts.
Actualice el plugin HT Mega – Absolute Addons For Elementor a la versión 2.4.7 o superior. Esta versión contiene una corrección para la vulnerabilidad de recorrido de directorios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-1974 is a Directory Traversal vulnerability affecting the HT Mega – Absolute Addons For Elementor plugin for WordPress, allowing authenticated users to read arbitrary files.
You are affected if you are using HT Mega – Absolute Addons For Elementor version 2.4.6 or earlier. Check your plugin version and upgrade immediately.
Upgrade the HT Mega – Absolute Addons For Elementor plugin to version 2.4.7 or later. Consider temporary workarounds like restricting file access permissions and WAF rules if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the official HT Mega website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.