Platform
wordpress
Component
ht-mega-for-elementor
Fixed in
2.4.7
CVE-2024-1974 describes a Directory Traversal vulnerability discovered in the HT Mega – Absolute Addons For Elementor plugin for WordPress. This flaw allows authenticated users with contributor access or higher to read arbitrary files on the server, potentially exposing sensitive information. The vulnerability affects versions of the plugin up to and including 2.4.6. A patch has been released in version 2.4.7.
The primary impact of CVE-2024-1974 is the potential for unauthorized access to sensitive files on the web server. An attacker, having legitimate contributor-level access to a WordPress site using the vulnerable plugin, could exploit this vulnerability to read configuration files, database credentials, or even source code. This could lead to further compromise of the system, including data breaches, privilege escalation, and the execution of malicious code. The ability to read arbitrary files significantly expands the attack surface beyond the plugin itself, potentially exposing other applications or services running on the same server.
CVE-2024-1974 was publicly disclosed on April 9, 2024. While no active exploitation campaigns have been confirmed, the ease of exploitation and the potential for significant data exposure make it a high-priority vulnerability. No Proof of Concept (PoC) code has been publicly released as of this writing, but the vulnerability's nature suggests that a PoC could be developed relatively easily. It has not been added to the CISA KEV catalog.
Exploit Status
EPSS
2.61% (86% percentile)
CVSS Vector
The primary mitigation for CVE-2024-1974 is to immediately upgrade the HT Mega – Absolute Addons For Elementor plugin to version 2.4.7 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file access permissions on the server to minimize the potential damage if the vulnerability is exploited. Implement Web Application Firewall (WAF) rules to block attempts to access files outside of the intended directory structure. Regularly review WordPress plugin installations and remove any unused or outdated plugins.
Actualice el plugin HT Mega – Absolute Addons For Elementor a la versión 2.4.7 o superior. Esta versión contiene una corrección para la vulnerabilidad de recorrido de directorios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1974 is a Directory Traversal vulnerability affecting the HT Mega – Absolute Addons For Elementor plugin for WordPress, allowing authenticated users to read arbitrary files.
You are affected if you are using HT Mega – Absolute Addons For Elementor version 2.4.6 or earlier. Check your plugin version and upgrade immediately.
Upgrade the HT Mega – Absolute Addons For Elementor plugin to version 2.4.7 or later. Consider temporary workarounds like restricting file access permissions and WAF rules if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the official HT Mega website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.