Plattform
wordpress
Komponente
jet-elements
Behoben in
2.6.21
CVE-2024-7145 is a Local File Inclusion (LFI) vulnerability affecting the JetElements plugin for WordPress. This vulnerability allows authenticated attackers, with Contributor-level access or higher, to include and execute arbitrary files on the server. The vulnerability impacts versions up to and including 2.6.20 and can lead to sensitive data exposure or complete code execution. A fix is available in a later version of the plugin.
The impact of this vulnerability is significant due to its potential for remote code execution (RCE). An attacker with Contributor access can exploit this LFI to include and execute arbitrary PHP code. This could allow them to bypass access controls, steal sensitive data stored on the server, modify website content, or even gain complete control of the WordPress instance. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing backdoors, injecting malware, and defacing the website. Successful exploitation could lead to a complete compromise of the WordPress environment.
CVE-2024-7145 was publicly disclosed on August 16, 2024. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the widespread use of the JetElements plugin make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of exploitation.
WordPress websites using the JetElements plugin, particularly those with multiple users having Contributor-level access or higher, are at risk. Shared hosting environments where users have limited control over file permissions are also particularly vulnerable. Sites using older, unpatched versions of the plugin are most susceptible to exploitation.
• wordpress / composer / npm:
grep -r 'progress_type' /var/www/html/wp-content/plugins/jet-elements/• wordpress / composer / npm:
wp plugin list --status=all | grep jet-elements• wordpress / composer / npm:
find /var/www/html/wp-content/uploads/ -type f -name '*.php'disclosure
Exploit-Status
EPSS
0.57% (69% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-7145 is to immediately upgrade the JetElements plugin to a version that addresses the vulnerability. The vendor has not specified a fixed version, so check the official JetElements website for the latest release. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily restricting file uploads to only explicitly allowed file types. While not a complete solution, this can reduce the attack surface. Monitor WordPress access logs for suspicious activity, particularly attempts to access unusual file paths. After upgrading, verify the fix by attempting to access a non-existent file through the vulnerable parameter; it should result in a 404 error.
Actualice el plugin JetElements a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos locales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-7145 is a Local File Inclusion vulnerability in the JetElements WordPress plugin, allowing authenticated users to execute arbitrary PHP code. It affects versions up to 2.6.20 and poses a significant security risk.
You are affected if your WordPress site uses the JetElements plugin and is running version 2.6.20 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the JetElements plugin to the latest available version. If upgrading is not possible, implement temporary workarounds like restricting file upload permissions and WAF rules.
There is currently no confirmed active exploitation of CVE-2024-7145, but the availability of a proof-of-concept makes it a potential target.
Refer to the official JetElements plugin website or their support channels for the latest advisory and updates regarding CVE-2024-7145.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.