Scan free
HIGHCVE-2024-11952CVSS 7.5

CVE-2024-11952: LFI in Classic Addons – WPBakery Page Builder

Platform

wordpress

Component

classic-addons-wpbakery-page-builder-addons

Fixed in

3.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2024-11952 describes a Limited Local PHP File Inclusion (LFI) vulnerability affecting the Classic Addons – WPBakery Page Builder plugin for WordPress. This vulnerability allows authenticated users with Contributor-level access or higher to include and execute arbitrary files on the server. The vulnerability impacts versions of the plugin up to and including 3.0. A fix is available in a patched version of the plugin.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

An attacker exploiting this LFI vulnerability could gain significant control over a WordPress site. By leveraging the 'style' parameter, a contributor-level user (or higher, with administrator permissions) can include and execute arbitrary PHP code. This could lead to the disclosure of sensitive information stored on the server, such as database credentials or configuration files. Furthermore, the attacker could potentially execute malicious code, leading to complete compromise of the WordPress installation and potentially the underlying server. The ability to execute arbitrary code opens the door to a wide range of attacks, including defacement, data theft, and the installation of backdoors.

Exploitation Context

CVE-2024-11952 was publicly disclosed on December 4, 2024. While no public exploits have been widely reported, the ease of exploitation and the potential impact make it a concerning vulnerability. The requirement for authenticated access limits the immediate scope of the attack, but the prevalence of WordPress and the common practice of granting contributor-level access to multiple users increases the overall risk. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.12% (30% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentclassic-addons-wpbakery-page-builder-addons
Vendorwebcodingplace
Affected rangeFixed in
* – 3.03.0.1

Package Information

Active installs
3KNiche
Plugin rating
5.0
Requires WordPress
3.5+
Compatible up to
7.0
Homepage

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. EPSS updated
Unpatched — 536 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2024-11952 is to upgrade the Classic Addons – WPBakery Page Builder plugin to a patched version. If upgrading immediately is not possible due to compatibility issues or testing requirements, consider temporarily restricting file upload permissions for users with Contributor access. Additionally, implement strict input validation on the 'style' parameter to prevent malicious file paths from being included. Web Application Firewalls (WAFs) configured to filter out suspicious file inclusion attempts can provide an additional layer of protection. Monitor WordPress logs for unusual file access patterns.

How to fix

Actualice el plugin Classic Addons – WPBakery Page Builder a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos PHP local.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-11952 — LFI in Classic Addons – WPBakery Page Builder?

CVE-2024-11952 is a Limited Local PHP File Inclusion vulnerability in the Classic Addons plugin for WordPress, allowing authenticated users to execute arbitrary PHP code.

Am I affected by CVE-2024-11952 in Classic Addons – WPBakery Page Builder?

You are affected if you are using Classic Addons – WPBakery Page Builder version 3.0 or earlier.

How do I fix CVE-2024-11952 in Classic Addons – WPBakery Page Builder?

Upgrade the Classic Addons – WPBakery Page Builder plugin to the latest patched version.

Is CVE-2024-11952 being actively exploited?

While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation makes it a potential target.

Where can I find the official Classic Addons advisory for CVE-2024-11952?

Refer to the official Classic Addons website or the WPBakery Page Builder security advisory for updates and details.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs