Plattform
wordpress
Komponente
consulting-elementor-widgets
Behoben in
1.3.1
CVE-2024-37092 is a Path Traversal vulnerability affecting Consulting Elementor Widgets versions up to 1.3.0. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. A fix is available in version 1.3.1, and users are strongly advised to upgrade immediately.
The Improper Limitation of a Pathname vulnerability allows an attacker to leverage path traversal techniques to include files outside of the intended directory. Specifically, this enables PHP Local File Inclusion (LFI). An attacker could potentially read configuration files, source code, or other sensitive data stored on the server. Successful exploitation could lead to complete compromise of the WordPress instance, depending on the files accessed and the privileges of the web server user. This vulnerability is particularly concerning given the popularity of Elementor and the potential for widespread deployment of affected plugins.
CVE-2024-37092 was published on 2024-06-24. No public proof-of-concept exploits are currently known, but the path traversal nature of the vulnerability makes it likely that one will emerge. The EPSS score is likely to be medium due to the relatively straightforward nature of path traversal exploitation and the wide use of Elementor. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
WordPress sites utilizing the Consulting Elementor Widgets plugin, particularly those running versions prior to 1.3.1, are at significant risk. Shared hosting environments where plugin updates are not managed centrally are especially vulnerable, as are sites with less stringent security configurations.
• wordpress / composer / npm:
grep -r '../' /var/www/html/wp-content/plugins/consulting-elementor-widgets/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/consulting-elementor-widgets/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
1.08% (78% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-37092 is to upgrade Consulting Elementor Widgets to version 1.3.1 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing stricter file access controls on the server to limit the impact of a potential LFI attack. Web Application Firewalls (WAFs) can be configured with rules to block suspicious path traversal attempts, although this is not a substitute for patching. Regularly review WordPress plugin configurations and ensure that only trusted plugins are installed.
Actualice el plugin Consulting Elementor Widgets a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 1.3.0. Consulte la documentación del plugin para obtener instrucciones sobre cómo actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-37092 is a Path Traversal vulnerability in Consulting Elementor Widgets allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using Consulting Elementor Widgets version 1.3.0 or earlier, you are vulnerable to this path traversal attack.
Upgrade Consulting Elementor Widgets to version 1.3.1 or later to resolve this vulnerability. Consider temporary WAF rules if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Check the StylemixThemes website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.