Plattform
wordpress
Komponente
pdf-generator-addon-for-elementor-page-builder
Behoben in
1.7.6
CVE-2024-9935 is a critical vulnerability classified as Arbitrary File Access affecting the PDF Generator Addon for Elementor Page Builder plugin in WordPress. This flaw allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, database credentials, or source code. The vulnerability impacts versions of the plugin up to and including 1.7.5. A patch is available to resolve this issue.
The primary impact of CVE-2024-9935 is the potential for unauthorized access to sensitive files on the web server. An attacker could exploit this vulnerability to read configuration files containing database passwords, API keys, or other credentials. They could also access source code, internal documents, or other sensitive data stored on the server. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the entire server infrastructure. This vulnerability shares similarities with other path traversal exploits, where attackers manipulate file paths to bypass security controls.
CVE-2024-9935 was publicly disclosed on 2024-11-16. Currently, there are no reports of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are available, indicating a moderate risk of exploitation if the vulnerability remains unpatched.
WordPress websites utilizing the PDF Generator Addon for Elementor Page Builder plugin, particularly those running versions prior to 1.7.5, are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over file permissions and server configurations. Websites with sensitive data stored on the server, such as database credentials or API keys, are at heightened risk of compromise.
• wordpress / composer / npm:
grep -r 'rtw_pgaepb_dwnld_pdf()' /var/www/html/wp-content/plugins/pdf-generator-for-elementor/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/pdf-generator-for-elementor/rtw_pgaepb_dwnld_pdf?file=/etc/passwd• wordpress / composer / npm:
wp plugin list --status=active | grep 'pdf-generator-for-elementor'disclosure
Exploit-Status
EPSS
93.62% (100% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-9935 is to immediately upgrade the PDF Generator Addon for Elementor Page Builder plugin to a version higher than 1.7.5. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file access permissions on the server. Specifically, ensure that the web server user has minimal permissions to access files outside of the web root. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., ../). After upgrading, verify the fix by attempting to access a non-public file via the vulnerable endpoint and confirming that access is denied.
Actualice el plugin PDF Generator Addon for Elementor Page Builder a la última versión disponible. Esto solucionará la vulnerabilidad de path traversal que permite la descarga de archivos arbitrarios sin autenticación.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-9935 is a vulnerability allowing unauthenticated attackers to read arbitrary files on a WordPress server using the PDF Generator Addon for Elementor Page Builder plugin, impacting versions up to 1.7.5.
You are affected if your WordPress site uses the PDF Generator Addon for Elementor Page Builder plugin in a version equal to or lower than 1.7.5.
Upgrade the PDF Generator Addon for Elementor Page Builder plugin to a version higher than 1.7.5. Consider a WAF rule as a temporary workaround if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the ease of exploitation suggests a high probability if unpatched.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and updated version.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.