Scan free
HIGHCVE-2024-37419CVSS 7.5

CVE-2024-37419: Path Traversal in Cowidgets Elementor Addons

Platform

wordpress

Component

cowidgets-elementor-addons

Fixed in

1.1.2

AI Confidence: highNVDEPSS 0.4%Reviewed: May 2026
View on NVD
Save

CVE-2024-37419 describes a Path Traversal vulnerability discovered in Cowidgets – Elementor Addons, a WordPress plugin. This flaw allows unauthorized access to sensitive files on the server by manipulating file paths. The vulnerability affects versions of the plugin up to and including 1.1.1, and a patch has been released in version 1.1.2.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The Path Traversal vulnerability in Cowidgets – Elementor Addons poses a significant risk to WordPress websites. An attacker could exploit this flaw to read configuration files, database credentials, or even source code, potentially gaining complete control over the server. Successful exploitation could lead to data breaches, website defacement, and further compromise of the system. This vulnerability is similar in nature to other path traversal exploits, where attackers leverage predictable file system structures to bypass access controls.

Exploitation Context

CVE-2024-37419 was publicly disclosed on 2024-07-09. Currently, there are no known active campaigns targeting this vulnerability, and no public proof-of-concept exploits have been widely released. The vulnerability is not listed on the CISA KEV catalog as of this writing. However, the ease of exploitation associated with path traversal vulnerabilities suggests that it may become a target for opportunistic attackers.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.39% (60% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentcowidgets-elementor-addons
VendorCodeless
Affected rangeFixed in
0.0.0 – 1.1.11.1.2

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-37419 is to immediately upgrade Cowidgets – Elementor Addons to version 1.1.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file access permissions on the server and implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal attempts (e.g., ../). Regularly monitor server logs for unusual file access patterns and consider implementing file integrity monitoring to detect unauthorized modifications.

How to fix

Actualice el plugin Cowidgets – Elementor Addons a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se ha corregido en versiones posteriores a la 1.1.1. Para actualizar, vaya al panel de administración de WordPress, sección 'Plugins' y busque 'Cowidgets – Elementor Addons' para actualizarlo.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-37419 — Path Traversal in Cowidgets Elementor Addons?

CVE-2024-37419 is a Path Traversal vulnerability affecting Cowidgets – Elementor Addons versions up to 1.1.1, allowing attackers to read arbitrary files on the server.

Am I affected by CVE-2024-37419 in Cowidgets Elementor Addons?

You are affected if you are using Cowidgets – Elementor Addons version 1.1.1 or earlier. Check your plugin version and update immediately.

How do I fix CVE-2024-37419 in Cowidgets Elementor Addons?

Upgrade Cowidgets – Elementor Addons to version 1.1.2 or later. As a temporary workaround, restrict file access permissions and implement a WAF rule.

Is CVE-2024-37419 being actively exploited?

As of now, there are no confirmed active exploitation campaigns, but the vulnerability's nature suggests it may become a target.

Where can I find the official Cowidgets advisory for CVE-2024-37419?

Refer to the Cowidgets website or WordPress plugin repository for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs