Plattform
wordpress
Komponente
lastudio-element-kit
Behoben in
1.3.9
CVE-2024-5349 describes a Local File Inclusion (LFI) vulnerability affecting the LA-Studio Element Kit for Elementor WordPress plugin. This vulnerability allows authenticated users with Contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions of the plugin up to and including 1.3.8.1. A patch is expected to be released by the vendor.
The impact of this LFI vulnerability is significant. An attacker, possessing only Contributor-level access, can leverage the 'map_style' parameter to include and execute arbitrary PHP code. This effectively bypasses access controls and grants the attacker the ability to read sensitive files, modify plugin configurations, or even execute malicious code on the server. The ability to execute arbitrary PHP code opens the door to complete system compromise, including data exfiltration, privilege escalation, and persistent backdoor installation. Successful exploitation could allow an attacker to gain full control of the WordPress site and potentially the underlying server infrastructure.
This vulnerability is publicly known and documented in the NVD database. While no active exploitation campaigns have been definitively linked to CVE-2024-5349 as of this writing, the ease of exploitation and the potential for significant impact make it a high-priority target. No KEV listing is currently available. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
WordPress websites using the LA-Studio Element Kit for Elementor plugin, particularly those with users having Contributor-level access or higher, are at risk. Shared hosting environments where users have limited control over file uploads and execution are especially vulnerable, as attackers may be able to leverage this vulnerability to compromise other sites on the same server.
• wordpress / composer / npm:
grep -r 'map_style' /var/www/html/wp-content/plugins/la-studio-element-kit-for-elementor/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/la-studio-element-kit-for-elementor/map_style.php• wordpress / composer / npm:
wp plugin list --status=all | grep 'la-studio-element-kit-for-elementor'disclosure
Exploit-Status
EPSS
0.49% (65% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-5349 is to immediately upgrade the LA-Studio Element Kit for Elementor plugin to a version patched against this vulnerability. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting file upload permissions to prevent attackers from uploading malicious PHP files. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files based on the 'mapstyle' parameter can provide an additional layer of defense. Monitor WordPress logs for suspicious file inclusion attempts, specifically targeting the 'mapstyle' parameter. After upgrading, verify the fix by attempting to access a non-existent PHP file through the vulnerable parameter and confirming that access is denied.
Actualice el plugin LA-Studio Element Kit for Elementor a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos locales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-5349 is a Local File Inclusion vulnerability in the LA-Studio Element Kit for Elementor WordPress plugin, allowing authenticated attackers to execute arbitrary PHP code.
You are affected if you are using LA-Studio Element Kit for Elementor version 1.3.8.1 or earlier.
Upgrade to the latest version of the LA-Studio Element Kit for Elementor plugin as soon as a patch is released. Until then, implement mitigation steps like restricting file uploads and input validation.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high probability of exploitation.
Check the LA-Studio Element Kit website and WordPress plugin repository for updates and advisories related to CVE-2024-5349.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.