Platform
wordpress
Component
consulting-elementor-widgets
Fixed in
1.3.1
CVE-2024-37092 is a Path Traversal vulnerability affecting Consulting Elementor Widgets versions up to 1.3.0. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. A fix is available in version 1.3.1, and users are strongly advised to upgrade immediately.
The Path Traversal vulnerability in Consulting Elementor Widgets allows an attacker to manipulate file paths, bypassing intended restrictions and accessing files outside the designated directory. Specifically, this allows for PHP Local File Inclusion (LFI). Successful exploitation could lead to the disclosure of sensitive configuration files, database credentials, or even source code. Depending on the files accessed, an attacker might be able to execute arbitrary code on the server, effectively gaining control of the WordPress site. This is a high-severity vulnerability due to the potential for complete system compromise.
CVE-2024-37092 was publicly disclosed on June 24, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The availability of a relatively straightforward path traversal vulnerability, coupled with the plugin’s popularity, suggests it could become a target for opportunistic attackers.
Exploit Status
EPSS
1.08% (78% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-37092 is to upgrade Consulting Elementor Widgets to version 1.3.1 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file access permissions on the server, using a Web Application Firewall (WAF) to filter malicious requests containing path traversal attempts (e.g., ../ sequences), and carefully reviewing the plugin's code for any other potential vulnerabilities. After upgrading, verify the fix by attempting to access files outside the intended directory via the plugin's interface; access should be denied.
Actualice el plugin Consulting Elementor Widgets a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 1.3.0. Consulte la documentación del plugin para obtener instrucciones sobre cómo actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37092 is a Path Traversal vulnerability in Consulting Elementor Widgets allowing attackers to potentially include arbitrary files on the server.
Yes, if you are using Consulting Elementor Widgets version 1.3.0 or earlier, you are vulnerable to this path traversal attack.
Upgrade Consulting Elementor Widgets to version 1.3.1 or later to resolve this vulnerability. Consider temporary WAF rules if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Check the StylemixThemes website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.