Plattform
wordpress
Komponente
jettabs
Behoben in
2.2.4
CVE-2024-7146 describes a Local File Inclusion (LFI) vulnerability affecting the JetTabs for Elementor WordPress plugin. This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions of the plugin up to and including 2.2.3. A fix is available in a later version of the plugin.
The impact of this vulnerability is significant due to its potential for code execution. An attacker who can exploit this LFI can upload seemingly harmless files (like images) and then include them in a way that executes arbitrary PHP code. This could allow them to bypass access controls, steal sensitive data stored on the server, or even gain complete control of the WordPress site. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including defacement, data breaches, and the installation of backdoors. The attacker's access level requirement (Contributor or higher) is relatively low, making a large number of WordPress users potentially vulnerable.
CVE-2024-7146 was publicly disclosed on August 16, 2024. There is currently no indication of active exploitation in the wild, but the availability of a public vulnerability description and the relatively low access requirements increase the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation once a malicious file is uploaded.
WordPress websites using the JetTabs for Elementor plugin, particularly those with users having Contributor-level access or higher, are at risk. Shared hosting environments where users have limited control over file permissions are also at increased risk, as attackers may be able to upload malicious files more easily. Websites with outdated plugin versions are particularly vulnerable.
• wordpress / composer / npm:
grep -r 'switcher_preset' /var/www/html/wp-content/plugins/jet-tabs-for-elementor/• wordpress / composer / npm:
wp plugin list --status=all | grep jet-tabs-for-elementor• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/jet-tabs-for-elementor/ | grep switcher_presetdisclosure
Exploit-Status
EPSS
0.37% (59% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-7146 is to upgrade the JetTabs for Elementor plugin to a version that contains the fix. If upgrading immediately is not possible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These could include restricting file upload permissions to prevent attackers from uploading malicious files, or implementing stricter input validation on the 'switcher_preset' parameter to prevent it from being used to include arbitrary files. Monitor WordPress access logs for suspicious activity, particularly attempts to access unusual file paths. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent PHP file through the vulnerable parameter and verifying that it results in a 404 error.
Actualice el plugin JetTabs for Elementor a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. La actualización corregirá la vulnerabilidad de inclusión de archivos locales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-7146 is a Local File Inclusion vulnerability in the JetTabs for Elementor plugin, allowing authenticated attackers to execute arbitrary PHP code.
You are affected if you are using JetTabs for Elementor version 2.2.3 or earlier and have users with Contributor access or higher.
Upgrade the JetTabs for Elementor plugin to the latest available version that contains the fix. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the vulnerability is publicly known and could be exploited.
Refer to the JetTabs for Elementor plugin documentation and website for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.