Plattform
wordpress
Komponente
bdthemes-element-pack
Behoben in
7.19.3
CVE-2024-33568 describes an Insecure Deserialization vulnerability, specifically Path Traversal and Object Injection, within BdThemes Element Pack Pro. This flaw allows attackers to potentially bypass security controls and access restricted resources. The vulnerability affects versions of Element Pack Pro prior to 7.19.3. A patch has been released, and users are strongly advised to upgrade.
The core of this vulnerability lies in the improper handling of deserialization processes within Element Pack Pro. An attacker can craft malicious input that exploits Path Traversal, allowing them to navigate outside the intended directory structure and access files they shouldn't. Object Injection further compounds the risk, potentially enabling the execution of arbitrary code or the modification of critical system configurations. Successful exploitation could lead to unauthorized data access, modification, or even complete system compromise. This vulnerability shares similarities with other deserialization flaws where attackers can manipulate object graphs to achieve malicious outcomes.
CVE-2024-33568 was publicly disclosed on June 4, 2024. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
WordPress websites utilizing BdThemes Element Pack Pro, particularly those with weak file access permissions or lacking input validation, are at significant risk. Shared hosting environments where users have limited control over server configurations are also particularly vulnerable.
• wordpress / composer / npm:
grep -r 'unserialize($_REQUEST[')' . ']' in /var/www/html/wp-content/plugins/element-pack-pro/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/element-pack-pro/ | grep -i 'content-type: application/octet-stream'disclosure
Exploit-Status
EPSS
0.74% (73% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-33568 is to immediately upgrade Element Pack Pro to version 7.19.3 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These might include restricting file access permissions within the Element Pack Pro directory and carefully reviewing any user-supplied data before processing it. While not a complete solution, these measures can reduce the attack surface. After upgrading, verify the fix by attempting to trigger the vulnerable deserialization process with a known malicious payload – it should now be properly sanitized.
Actualice el plugin Element Pack Pro a la versión 7.19.3 o superior. Esta actualización corrige las vulnerabilidades de path traversal y deserialización de datos no confiables. Se recomienda realizar la actualización lo antes posible para proteger su sitio web.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-33568 is a HIGH severity vulnerability in BdThemes Element Pack Pro versions up to 7.19.3, allowing Path Traversal and Object Injection through insecure deserialization.
If you are using Element Pack Pro versions 7.19.3 or earlier, you are potentially affected by this vulnerability.
Upgrade Element Pack Pro to version 7.19.3 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation.
Refer to the BdThemes website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.