Plattform
wordpress
Komponente
elementor
Behoben in
3.19.1
CVE-2024-24934 describes an Insecure Deserialization vulnerability, specifically a path traversal issue, affecting the Elementor Website Builder plugin for WordPress. This flaw allows attackers to manipulate web input to potentially access and modify files on the server's file system. The vulnerability impacts versions of Elementor Website Builder up to and including 3.19.0. A patch has been released in version 3.19.1.
The primary impact of CVE-2024-24934 is the potential for unauthorized file access and modification. An attacker exploiting this path traversal vulnerability could read sensitive configuration files, upload malicious code, or even execute arbitrary commands on the server, depending on the server's configuration and permissions. Successful exploitation could lead to complete website compromise, data breaches, and denial of service. This vulnerability shares similarities with other path traversal exploits, where attackers leverage improper input validation to bypass security controls and access restricted resources. The blast radius extends to the entire WordPress installation and potentially any connected systems if credentials are compromised.
CVE-2024-24934 was publicly disclosed on 2024-05-17. There is currently no indication of active exploitation in the wild, but the availability of a public proof-of-concept could change this rapidly. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 8.5 (HIGH) indicates a significant potential for exploitation.
WordPress websites utilizing the Elementor Website Builder plugin are at risk. This includes sites with older Elementor installations (≤3.19.0), shared hosting environments where file system access may be more permissive, and sites where Elementor users have elevated privileges.
• wordpress / composer / npm:
grep -r 'unserialize($_REQUEST[')' /var/www/html/wp-content/plugins/elementor/core/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/elementor/core/somefile.php?path=/etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.88% (75% Perzentil)
CISA SSVC
CVSS-Vektor
The most effective mitigation for CVE-2024-24934 is to immediately upgrade Elementor Website Builder to version 3.19.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file upload permissions for the Elementor plugin directory and carefully reviewing any user-supplied input that is used in file system operations. Web Application Firewalls (WAFs) configured with rules to detect and block path traversal attempts can also provide an additional layer of defense. After upgrading, confirm the fix by attempting a path traversal attack using a tool like Burp Suite to verify that access to restricted directories is blocked.
Actualice el plugin Elementor Website Builder a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. La actualización corregirá la vulnerabilidad de path traversal y deserialización de Phar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-24934 is a HIGH severity vulnerability in Elementor Website Builder allowing attackers to manipulate web input to access the file system. It affects versions up to 3.19.0.
Yes, if you are using Elementor Website Builder version 3.19.0 or earlier, you are vulnerable to this insecure deserialization flaw.
Upgrade Elementor Website Builder to version 3.19.1 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the official Elementor security advisory for detailed information and updates: [https://elementor.com/security/](https://elementor.com/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.