Plattform
wordpress
Komponente
ultimate-bootstrap-elements-for-elementor
Behoben in
1.4.5
CVE-2024-43140 describes a Path Traversal vulnerability within the Ultimate Bootstrap Elements for Elementor plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions of the plugin up to and including 1.4.4, with a fix available in version 1.4.5.
The core of this vulnerability lies in the improper handling of file paths within the plugin. An attacker can craft malicious requests that manipulate the pathname, bypassing intended restrictions and accessing files outside the designated directory. Successful exploitation allows for PHP Local File Inclusion (LFI), meaning an attacker can include arbitrary files on the server. This could expose sensitive configuration files, database credentials, or even allow the attacker to execute arbitrary code if the included file contains PHP code. The potential blast radius is significant, as a compromised WordPress site can be used as a launchpad for further attacks against the internal network.
This vulnerability was publicly disclosed on August 13, 2024. While no active exploitation campaigns have been confirmed at the time of writing, the availability of a path traversal vulnerability in a widely used WordPress plugin presents a significant risk. The ease of exploitation, combined with the prevalence of WordPress sites, makes this a potential target for opportunistic attackers. It is not currently listed on the CISA KEV catalog.
Websites using the Ultimate Bootstrap Elements for Elementor plugin, particularly those running older versions (≤1.4.4), are at risk. Shared hosting environments where WordPress installations have limited access control are especially vulnerable, as an attacker could potentially exploit this vulnerability on multiple sites simultaneously.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/ultimate-bootstrap-elements-for-elementor/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/ultimate-bootstrap-elements-for-elementor/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.91% (76% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-43140 is to immediately upgrade the Ultimate Bootstrap Elements for Elementor plugin to version 1.4.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Additionally, restrict file permissions on sensitive files to prevent unauthorized access. Monitor WordPress access logs for suspicious file inclusion attempts, looking for unusual file paths being accessed.
Actualiza el plugin Ultimate Bootstrap Elements for Elementor a la última versión disponible. La vulnerabilidad de Local File Inclusion (LFI) se ha corregido en versiones posteriores a la 1.4.4. Verifica que la versión actualizada sea segura y aplica las últimas actualizaciones de seguridad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-43140 is a Path Traversal vulnerability affecting the Ultimate Bootstrap Elements for Elementor plugin, allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using Ultimate Bootstrap Elements for Elementor version 1.4.4 or earlier, you are vulnerable to this Path Traversal vulnerability.
Upgrade the Ultimate Bootstrap Elements for Elementor plugin to version 1.4.5 or later to resolve this vulnerability.
As of now, there are no confirmed reports of active exploitation, but proactive mitigation is still recommended.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.