Platform
wordpress
Component
consulting-elementor-widgets
Fixed in
1.3.1
CVE-2024-37089 is a critical Path Traversal vulnerability affecting Consulting Elementor Widgets versions up to 1.3.0. This vulnerability allows an attacker to include arbitrary files on the server, potentially leading to sensitive data exposure or even remote code execution. The vulnerability has been published on 2024-06-24 and a fix is available in version 1.3.1.
The Path Traversal vulnerability in Consulting Elementor Widgets allows attackers to bypass intended security restrictions and access files outside of the intended directory. By manipulating file paths, an attacker can include arbitrary files from the server's filesystem. This could lead to the exposure of sensitive configuration files, database credentials, or even source code. In a worst-case scenario, if the attacker can include a PHP file containing malicious code, they could achieve remote code execution, effectively gaining full control of the WordPress site. This is particularly concerning given the popularity of Elementor and the potential for widespread exploitation.
CVE-2024-37089 is currently considered high risk due to its critical CVSS score and the ease with which path traversal vulnerabilities can be exploited. While no public exploits have been widely reported, the availability of the vulnerability and its potential impact make it a prime target for attackers. The vulnerability was disclosed on 2024-06-24 and added to the CISA KEV catalog is pending. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.97% (77% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-37089 is to immediately upgrade Consulting Elementor Widgets to version 1.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting file access permissions on the server, using a Web Application Firewall (WAF) to filter out malicious requests containing path traversal attempts, or implementing input validation to sanitize user-supplied file paths. Regularly scan your WordPress installation for vulnerable plugins using security plugins or vulnerability scanners.
Update the Consulting Elementor Widgets plugin to the latest available version. The unauthenticated Local File Inclusion vulnerability has been corrected in versions later than 1.3.0. See the plugin changelog for more details about the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37089 is a critical vulnerability in Consulting Elementor Widgets allowing attackers to include arbitrary files via path traversal, potentially exposing sensitive data or enabling remote code execution.
You are affected if you are using Consulting Elementor Widgets version 1.3.0 or earlier. Check your plugin version and upgrade immediately.
Upgrade Consulting Elementor Widgets to version 1.3.1 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules or file permission restrictions.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation make it a likely target. Monitor security advisories for updates.
Refer to the official StylemixThemes website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.