Plattform
wordpress
Komponente
ultimate-bootstrap-elements-for-elementor
Behoben in
1.4.3
CVE-2024-37462 describes a Path Traversal vulnerability discovered in the Ultimate Bootstrap Elements for Elementor plugin. This flaw allows unauthorized access to sensitive files on the server, potentially exposing configuration data, source code, or other critical information. The vulnerability impacts versions of the plugin up to and including 1.4.2, with a fix released in version 1.4.3.
The Path Traversal vulnerability allows an attacker to bypass intended access restrictions and retrieve files from directories that should be protected. By crafting malicious requests, an attacker can manipulate file paths to access files outside of the intended web root. This could lead to the exposure of sensitive data such as database credentials, API keys, or internal configuration files. Successful exploitation could also enable an attacker to modify or even execute arbitrary code on the server, depending on the files they manage to access and the server's configuration. This vulnerability shares similarities with other path traversal exploits where attackers leverage directory traversal sequences (e.g., ../) to navigate the file system.
CVE-2024-37462 was publicly disclosed on 2024-07-09. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are emerging, increasing the risk of exploitation.
WordPress websites using the Ultimate Bootstrap Elements for Elementor plugin, particularly those running older versions (≤1.4.2) and those with weak file permission configurations, are at risk. Shared hosting environments where users have limited control over server configurations are also particularly vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/ultimate-bootstrap-elements-for-elementor/*• generic web:
curl -I 'http://example.com/wp-content/plugins/ultimate-bootstrap-elements-for-elementor/../../../../etc/passwd' # Check for sensitive file accessdisclosure
Exploit-Status
EPSS
1.66% (82% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-37462 is to immediately upgrade the Ultimate Bootstrap Elements for Elementor plugin to version 1.4.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) to filter requests containing potentially malicious path traversal sequences. Configure the WAF to block requests with patterns like ../ or other directory traversal attempts. Additionally, review file permissions on the server to ensure that sensitive files are not accessible by the web server user. After upgrading, verify the fix by attempting to access a file outside the intended web root via a crafted URL; access should be denied.
Actualice el plugin Ultimate Bootstrap Elements for Elementor a la última versión disponible. La vulnerabilidad de Local File Inclusion (LFI) se ha corregido en versiones posteriores a la 1.4.2. Para actualizar, vaya al panel de administración de WordPress, sección 'Plugins' y busque 'Ultimate Bootstrap Elements for Elementor' para actualizarlo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-37462 is a Path Traversal vulnerability affecting Ultimate Bootstrap Elements for Elementor plugin versions up to 1.4.2, allowing attackers to access arbitrary files on the server.
Yes, if you are using Ultimate Bootstrap Elements for Elementor version 1.4.2 or earlier, you are vulnerable to this Path Traversal vulnerability.
Upgrade the Ultimate Bootstrap Elements for Elementor plugin to version 1.4.3 or later to resolve the vulnerability. Implement file access restrictions as a temporary workaround.
While no active exploitation has been confirmed, the ease of exploitation for Path Traversal vulnerabilities suggests that exploitation is possible.
Refer to the official G5Theme website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-37462.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.