Platform
wordpress
Component
startklar-elmentor-forms-extwidgets
Fixed in
1.7.14
CVE-2024-4346 is an arbitrary file access vulnerability affecting the Startklar Elementor Addons plugin for WordPress. This flaw allows unauthenticated attackers to delete files on the server, potentially leading to complete site compromise. Versions of the plugin up to and including 1.7.13 are vulnerable. A patch is available; upgrading is the recommended remediation.
The primary impact of CVE-2024-4346 is the ability for an attacker to delete arbitrary files on a WordPress server. Because the vulnerability requires no authentication, any user can exploit it. The most critical consequence is the potential deletion of the wp-config.php file, which contains sensitive database credentials and configuration settings. Deletion of this file effectively renders the WordPress site inoperable and allows an attacker to potentially gain full control over the database and server. Beyond wp-config.php, attackers could delete other critical files, disrupting site functionality or even gaining a foothold for further malicious activity, such as remote code execution if they can upload and execute malicious code after file deletion.
CVE-2024-4346 was publicly disclosed on May 7, 2024. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the severity of the vulnerability.
Exploit Status
EPSS
22.23% (96% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-4346 is to upgrade the Startklar Elementor Addons plugin to a version that addresses the vulnerability. The vendor has not released a specific fixed version as of this writing, so monitor their website for updates. As a temporary workaround, restrict file upload permissions on the server to prevent attackers from uploading malicious files. Consider implementing a Web Application Firewall (WAF) with rules to block suspicious file deletion requests. Regularly back up your WordPress site, including the wp-config.php file, to facilitate restoration in case of a successful attack. After upgrading, verify the fix by attempting a file deletion request through the plugin’s interface to ensure it is properly restricted.
Actualice el plugin Startklar Elementor Addons a una versión posterior a la 1.7.13. Esto solucionará la vulnerabilidad de eliminación arbitraria de archivos. La actualización se puede realizar desde el panel de administración de WordPress.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-4346 is a critical vulnerability allowing unauthenticated attackers to delete arbitrary files on a WordPress server, potentially leading to site takeover due to improper file path validation in the Startklar Elementor Addons plugin.
You are affected if you are using Startklar Elementor Addons version 1.7.13 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Startklar Elementor Addons plugin to the latest available version. Monitor the vendor's website for updates and implement temporary workarounds like restricting file upload permissions.
As of the current date, there is no confirmed evidence of active exploitation in the wild, but public proof-of-concept exploits are likely to emerge.
Check the official Startklar Elementor Addons website and WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.