Platform
wordpress
Component
classic-addons-wpbakery-page-builder-addons
Fixed in
3.0.1
CVE-2024-11952 describes a Limited Local PHP File Inclusion (LFI) vulnerability affecting the Classic Addons – WPBakery Page Builder plugin for WordPress. This vulnerability allows authenticated users with Contributor-level access or higher to include and execute arbitrary files on the server. The vulnerability impacts versions of the plugin up to and including 3.0. A fix is available in a patched version of the plugin.
An attacker exploiting this LFI vulnerability could gain significant control over a WordPress site. By leveraging the 'style' parameter, a contributor-level user (or higher, with administrator permissions) can include and execute arbitrary PHP code. This could lead to the disclosure of sensitive information stored on the server, such as database credentials or configuration files. Furthermore, the attacker could potentially execute malicious code, leading to complete compromise of the WordPress installation and potentially the underlying server. The ability to execute arbitrary code opens the door to a wide range of attacks, including defacement, data theft, and the installation of backdoors.
CVE-2024-11952 was publicly disclosed on December 4, 2024. While no public exploits have been widely reported, the ease of exploitation and the potential impact make it a concerning vulnerability. The requirement for authenticated access limits the immediate scope of the attack, but the prevalence of WordPress and the common practice of granting contributor-level access to multiple users increases the overall risk. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.12% (30% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11952 is to upgrade the Classic Addons – WPBakery Page Builder plugin to a patched version. If upgrading immediately is not possible due to compatibility issues or testing requirements, consider temporarily restricting file upload permissions for users with Contributor access. Additionally, implement strict input validation on the 'style' parameter to prevent malicious file paths from being included. Web Application Firewalls (WAFs) configured to filter out suspicious file inclusion attempts can provide an additional layer of protection. Monitor WordPress logs for unusual file access patterns.
Actualice el plugin Classic Addons – WPBakery Page Builder a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos PHP local.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11952 is a Limited Local PHP File Inclusion vulnerability in the Classic Addons plugin for WordPress, allowing authenticated users to execute arbitrary PHP code.
You are affected if you are using Classic Addons – WPBakery Page Builder version 3.0 or earlier.
Upgrade the Classic Addons – WPBakery Page Builder plugin to the latest patched version.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation makes it a potential target.
Refer to the official Classic Addons website or the WPBakery Page Builder security advisory for updates and details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.