Plattform
wordpress
Komponente
addons-for-elementor
Behoben in
8.3.8
CVE-2024-2385 is a Local File Inclusion (LFI) vulnerability discovered in Elementor Addons by Livemesh, a WordPress plugin. This vulnerability allows authenticated attackers with contributor-level access or higher to include and execute arbitrary files on the server. The vulnerability affects versions up to and including 8.3.7, and a patch is available from the vendor. Promptly updating the plugin is crucial to prevent exploitation.
The impact of CVE-2024-2385 is significant due to the potential for Remote Code Execution (RCE). An attacker who can successfully exploit this vulnerability can execute arbitrary PHP code on the server, effectively gaining control over the WordPress site. This could lead to data breaches, website defacement, malware installation, and complete compromise of the server. The attacker's ability to include arbitrary files means they could leverage uploaded images or other seemingly safe file types to execute malicious code. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution capabilities.
CVE-2024-2385 was publicly disclosed on 2024-07-04. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that a PoC will emerge. The EPSS score is likely to be medium, given the ease of exploitation for authenticated users and the potential for significant impact. It is not currently listed on the CISA KEV catalog.
WordPress websites using Elementor Addons by Livemesh, particularly those with multiple contributors or users with elevated privileges, are at significant risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromise of one site could potentially lead to the compromise of others. Legacy WordPress installations with outdated security practices are especially vulnerable.
• wordpress / composer / npm:
grep -r 'style=".*/wp-content/uploads/' /var/www/html/wp-content/plugins/elementor-addons-by-livemesh/• wordpress / composer / npm:
wp plugin list --status=inactive | grep elementor-addons-by-livemesh• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/elementor-addons-by-livemesh/style.php?style=/etc/passwddisclosure
Exploit-Status
EPSS
0.24% (47% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-2385 is to upgrade Elementor Addons by Livemesh to a version higher than 8.3.7. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider temporarily restricting file upload permissions for users with contributor access or higher. Implementing a Web Application Firewall (WAF) with rules to filter out suspicious file inclusion attempts can also provide an additional layer of defense. Regularly review WordPress plugin configurations and ensure that only trusted plugins are installed.
Actualice el plugin Elementor Addons by Livemesh a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos locales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-2385 is a Local File Inclusion vulnerability in Elementor Addons by Livemesh for WordPress, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using Elementor Addons by Livemesh version 8.3.7 or earlier. Check your plugin version immediately.
Upgrade Elementor Addons by Livemesh to a version higher than 8.3.7. If immediate upgrade isn't possible, restrict file uploads and user permissions.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a high-priority risk. Monitor for updates.
Refer to the official Elementor Addons website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.